Scribit Alan Karp dies 26/12/2022 hora 11:08:
> What is to prevent some of those delegations being to a sock puppet?
And if we simply revoke all delegations made by Bob, it means every
"worker bee" in his former service now needs to reacquire
capabilities.
If they can do that easily, what would prevent the sock puppet to do
the same?.
So isn't the real question more about how to prevent Bob from creating
a sock puppet?
If there is a service that can authenticate genuine agents of the
system and extract their capabilities from Bob's membrane, you can
disable his membrane when he leaves the service/company.
So whenever Bob wants to delegate a capability, he just creates a
caretaker object that he gives access to a third party, like Zebra
Copy (or hist sock puppet). By default, the caretaker is inside Bob's
membrane. If Bob leaves the service, his membrane is revoked and Zebra
doesn't have access anymore (and neither does the sock puppet).
But if the legal department verifies that Zebra Copy is a genuine
company that provides services, it gets its own membrane and all
caretakers are migrated there. Ideally, the revocation capabilities to
those caretakers should remain in a manager shell for the service
after Bob's access as a manager is disabled, for the next manager to
get. (or for other managers to use even while Bob is still there)
As the sock puppet won't get verified by HR or legal, it won't get its
own membrane.
Tentatively,
Pierre Thierry
--
pie...@nothos.net
OpenPGP 0xD9D50D8A