[prev in list] [next in list] [prev in thread] [next in thread]
List: e-lang
Subject: RE: [E-Lang] cap-based design question
From: "Karp, Alan" <alan_karp () hp ! com>
Date: 2001-08-31 0:49:50
[Download RAW message or body]
I'm not sure I understand the problem. Why doesn't a per-user proxy doesn't
solve the problem?
Assume there is exactly one capability per branch. When a user logs in,
start a proxy that is the only way the user's process can talk to the
system. This proxy can have a table mapping between the name of a branch
and the capability needed for access. Where does this mapping come from?
An authorization server with an ACL, of course. Thankfully, that's not the
same thing as putting the ACL in the access control path.
Accessing an object involves sending the request to the proxy along with the
name of the branch. If the proxy has no mapping for the name, the request
fails as if the branch didn't exist. Now, you can revoke all of a user's
privileges by revoking the user's capability to the proxy. You can also
selectively increase or decrease the allowed scope by adding or removing
entries from the proxy's mapping table. New capabilities are created only
when new branches are added and revoked only when branches are deleted.
Auditing is an issue I prefer to separate from capabilities. In e-speak, we
had the core (TCB) publish an event on each access to an object. This event
allowed us to track the protection domain (not quite the user) that
originated the request. We also allowed the object to use a per-client
encryption key if it wanted to do its own auditing. (Actually, we couldn't
stop it if we'd wanted to.)
_________________________
Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-3
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic