ping: A little while ago i took a security course from David Wagner in which we did weekly readings and summaries.| ping: A little while ago i took a security course from David Wagner in which we did weekly readings and summaries. |
| ping: http://www.cs.berkeley.edu/~pingster/sec/wallach-java.html |
| tyler: I like it. Maybe we should put together a sort of "Hall of Shame", where criticism of ACL papers is indexed. |
| ping: That's a great idea. |
| danfuzz: Yes. |
| ping: I notice that capmyths.com is available -- but if you have a better name in mind, let's hear it. |
| danfuzz: I'd suggest a page sitting directly on one of the pre-existing capability-friendly sites, such as erights.org or waterken.com. |
| ping: Upon looking back at it i think to myself, "Oh my! Those comments were pretty harshly worded." But perhaps you will find it interesting. |
| chip: Harsh but pretty much on the mark. |
| tyler: Heh. |
| shap: While I love Ping's enthusiasm, several key statements on that web page are more enthusiastic than accurate. Some observations. |
| shap: Speaking for myself, I would argue that the paper has a more fundamental flaw. |
| markm: I don't remember any math in the Wallach paper. |
| shap: I am indeed! Thank you for the correction. |
| ping: Okay, |
| zooko: Your criticism is quite apt, Jonathan. |
| zooko: At the time I wasn't familiar enough with the paper to effectively bring the contradictions to Dr. Michell's attention. |
| marcs: Zooko, does it make any sense for you to email Dr. Mitchell and bring him up to date on the discussion that has taken place on this thread? |
| shap: Drew Dean, however, certainly knew better all along. The paper's claims are negligent. |
| shap: Ping writes: "communicating conspirators cannot be prevented from delgating authority in any system." This is not strictly true. |
| markm: Referring to the diagrams at http://www.erights.org/elib/capability/conspire.html : |
| markm: AKAIK, imposing a bit-only channel serves only two security purposes: |
| markm: I meant to say "imposing a bidirectional bit-only channel ..." |
| markm: If there's a bi-directional bit channel between Bob and Mallet, |
| shap: True, but not relevant. The question was can bob transfer authority, not can bob perform a de facto delegation of authority. |
| chris: Jonathan: read Ping's words again. He said "communicating conspirators cannot be prevented from delegating authority in any system". |
| shap: Thank you for the correction. |
| daw: For what it's worth, I read Ping's words the same way Chris did. Maybe this was too ambiguous. |
| shap: I agree that Ping's point was sound, and I wasn't trying to undermine his conclusion. |
| shap: Ping: My apologies if I misread you. Just so we all understand, which way did you mean? |
| ping: I did intend the meaning Chris is thinking of: that is, if A can send messages to B, |
| ping: I guess i don't really understand why any other definition is necessary. |
| zooko: For one thing, a capability is around 20 bytes, and a copy of the object being accessed might be any size: kilobytes, megabytes, gigabytes, terabytes... |
| ben: One obvious difference is that if you break the channel between A and B, then in one case A can no longer exercise B's authority, |