On Sat, Jul 22, 2023 at 10:27 PM Alan Karp <
alan...@gmail.com> wrote:
>
> On Sat, Jul 22, 2023 at 7:00 AM Matt Rice <
rat...@gmail.com> wrote:
>>
>> One thing I would like to see, rather than post-grant authority
>> analysis, is analysis of the proposed or projected worlds/bounds
>> before a capability is actually granted so as to avoid rather than
>> respond to excess authority...
>
>
> I took a different approach in Client Utility. I was concerned that an admin might accidentally give a powerful capability to a guest, so I introduced negative capabilities. A negative capability for an object in your c-list would prevent you from invoking that object even if you had a capability to the object in your c-list. The nice part is that you can delegate without worrying if you might be violating some policy. You still need a way to express who gets which negative capabilities, but I believe this approach provides a mechanism to support your requirement.
>
It is an interesting mechanism, I'm somewhat assuming that
capabilities can still be delegated to others who lack a negative
capability, this seems scary from a social engineering perspective,
but it also brings with it interesting useful interactions 'give this
capability to bob and he'll get you set up'... That said, there it
seems when negative capabilities negate interaction. Such as the
interaction between a confined/unforgeable space with a password
capability/guessable space if you have a negative capability on
invocation of password capabilities instead of the typical absence of
password capabilities within a topological confinement... Negative
capabilities do seem like curious tweak of the model.
One of the things discussed in the paper was "enabling logging
mechanisms that record when a user has been allocated permission.",
which is easily doable from a power box.
That is the basis which I was thinking of primarily because it also
reflects how permissions change over time, and viewing them as a
time-series data in retrospect. Neither the negative capabilties nor
how creeper works by building a model via enumerating permissions seem
to capture any point of reference naturally beyond the current one.
sorry for sort of straying off topic....
> To view this discussion on the web visit
https://groups.google.com/d/msgid/cap-talk/CANpA1Z18HL3tKr9f96FgU%2Ba7LtMZNv1HssFLaA%2BSpg-p%3DFQTtA%40mail.gmail.com.