Here's what I told the DWN people
Alan Karp
Comments appreciated.
----------------------
Revoking a public key is harder than revoking a certificate capability. You don't know who will be relying on a public key, so you need some sort of widely accessible list of the revoked public keys. For a capability, you know that only the verifier for the resource the capability designates needs to know that the capability has been revoked. While simpler, any capability revocation scheme must have a way to know if a revocation request is authorized. You also need a way to tell the resource server to stop honoring a specific capability and any delegations from it. That could be a problem if you've replaced parts of the delegation chain with proofs that the delegation is legal. There's also the complication of a distributed system. Is the revocation effective when received by the first node? The last? A quorum?
There are a number of options when deciding how to do revocation, some of which are in conflict. The design will have to make choices based on requirements specific to the system. The key difference among these choices is who is authorized to revoke a capability.
1. No revocation; rely on short-lived capabilities.
This is the approach taken by Simple Public Key Infrastructure (SKPI, pronounced spooky), RFC 2693, 1999. One problem with this approach is the need to continually reissue capabilities that are needed beyond the expiration time. Another is picking the lifetime. Too long, and there's too much opportunity for abuse; too short and the refresh overhead is too high. One example of the problem is OAuth 2. They originally recommended a 5 minute lifetime for bearer tokens, which later was increased to hours and then days.
2. Revocation is a specific permission.
You might want a specific revoke capability that you can delegate to someone else. For example, Alice delegates a capability to Bob and delegates the revoke permission to HR. When Bob changes jobs or leaves the company, HR can revoke all capabilities delegated to Bob without needing to be in the delegation chain.
3. The holder of a capability can revoke it.
It seems unnecessary for the holder of a capability to revoke it. You could just stop using it. However, explicitly revoking a capability you hold prevents accidental use of it or use by a successful hack.
4. The delegator of a capability can revoke direct delegations.
This choice is the most natural. In fact, it's necessary, but there are cases, discussed below, where it is not sufficient.
5. The delegator of a capability can revoke any delegation deeper in the chain.
There are enterprise use cases in which #4 can cause problems. Imagine Alice, a director, delegates a capability to Bob , a department manager, who subsequently delegates that capability to Carol, David, and perhaps many more. Alice finds out that David should not have been given the permission, but Bob is unavailable to revoke David's capability. With #4, Alice can revoke Bob's capability, but then Carol and the other can't do their jobs. With #5 Alice can revoke the capability given to David. This use case presumes that Alice knows David got a delegation, but such auditing is necessary in an enterprise.
6. Revoke the public key the certificate capability is issued to.
Telling the resource server that the public key a capability was issued to is revoked effectively revokes the capability, but you need a separate mechanism to know who has permission to revoke that public key. If the public key was used for more than one capability, you might inadvertently revoke that capability as well. Consider the case where Alice is a contractor for Bob, who gives her a capability to some resource. Alice is also a contractor for Carol, who gives Alice a different capability to the same resource, a common situation in the enterprise. A problem arises if Alice uses the same public key for both capabilities. Bob will revoke the public key when his contract with Alice ends, but that will also revoke the capability Alice got from Carol, whose contract is still active. If the intent is to revoke all capabilities issued to Alice by revoking one key, then you need a widely accessible place to list revoked public keys so that all capability verifiers can find them. However, you lose the privacy that comes from using different public key for each capability.
--------------
Alan Karp
Rob Meijer
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z155CKv5eaowj%3Dd2aqOFdo%3DrmnDaU96-8P_4%2Bk62iGEsg%40mail.gmail.com.
Mark S. Miller
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAMpet1VYsF%2B%3DXqUN2fhaO3LdZH0LoxNVDaH39E4kV1HYhB%2BDag%40mail.gmail.com.
--MarkM
Alan Karp
--------------
Alan Karp
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK5yZYga-OW92rR9XAF9KXqep%3D9Ra9rFSParb6C1Wn6us%3Dh%3DZg%40mail.gmail.com.
Mark S. Miller
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z2MpBmNAaycFs6wNn%3D5Bx8KzzjA0abLU6vuVDNTE%3DrVwA%40mail.gmail.com.
--MarkM
Alan Karp
--------------
Alan Karp
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK5yZYjTBr6prRDHABwapy4QNKNm9y0ZkaSgenrh%2Bz_iew-m7Q%40mail.gmail.com.
Mark S. Miller
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z2M44O9JZurf3w-ynLXoVmO4-8xZbOMNQbdLkoR7AVoyg%40mail.gmail.com.
--MarkM
Mike Stay
--
Mike Stay - meta...@gmail.com
https://math.ucr.edu/~mike
https://reperiendi.wordpress.com
Jonathan Frederickson
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAKQgqTYkc0BWVpMFW4nuRPi%2BgePOPy5K5Pgp9F9wBzKMz1-rUw%40mail.gmail.com.
Alan Karp
- To revoke all delegations from that capability without having to track them individually.
- To prevent accidental use (a Least Privilege argument).
- To prevent use in a subsequent hack.
--------------
Alan Karp
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAK5yZYgJFuQOAFOu38m%2BNL5SM_Rdnv5L4y68ZxstF%3DG-ag6qXg%40mail.gmail.com.
Alan Karp
Number 3 had me confused at first, untill I realized #3 and others that follow imply "individual" delegation of revocable capabilities (basically one caretaker per object delegated to). While this is a valid and solid (though sometimes complicating) concept, it might help making it explicit.
If the revocable delegation isn't individual, for example when scaling horizontally, the question arises if an instance having the authority to revoke in the name of the service would constitute least authority, and use-only caps will make sense.
I think in order to make the case against use-only caps, you should probably explicitly make the case for individual delegation of revocable caps.
--------------
Alan Karp
Rob Meijer
--
--------------
Alan Karp
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z0JQwokbJuRF5pAL5GvY49xuC7HFUctzNm5w1Jn-0Xm8Q%40mail.gmail.com.
Alan Karp
--------------
Alan Karp
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAMpet1UO%2BAnoXeFSM5HODV7YaeDL8vTL_xaAPeAp681QoPz-CA%40mail.gmail.com.