Re: Scientific Literature on Capabilities (was Re: CORS versus Uniform Messaging?) from Ian Hickson on 2009-12-17 (public-webapps@w3.org from October to December 2009)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 17 Dec 2009 20:58:50 +0000 (UTC)
To: Kenton Varda <kenton@google.com>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.62.0912172054430.15825@hixie.dreamhostps.com>

On Thu, 17 Dec 2009, Kenton Varda wrote:
>
> It seems more useful to attribute resource usage to the user rather than 
> to the sites the user uses to access those resources.  In my example, I 
> might want to limit Alice to, say, 1GB data transfer per month, but I 
> don't see why I would care if that transfer happened through Bob's site 
> vs. Charlie's site.

With CORS, I can trivially (one line in the .htaccess file for my site) 
make sure that no sites can use XBL files from my site other than my 
sites. My sites don't do any per-user tracking; doing that would involve 
orders of magnitude more complexity.


> > - Service providers often like to know for the sake of record-keeping 
> > who is using their data, even if they have no interest in restricting 
> > it. Often, just creating an incentive to identify yourself and ask for 
> > separate authorization is enough, even if proxy workarounds are 
> > possible. The reason given below states such an incentive.
> 
> I think this is separate from the security question.  As I said earlier, 
> origins can voluntarily identify themselves for this purpose, just as 
> browsers voluntarily identify themselves.

How can an origin voluntarily identify itself in an unspoofable fashion? 
Without running scripts?


> It seems like the fundamental disagreements here are:
> - Cap proponents think that the ability to delegate is extremely valuable,
> and ACLs provide too much of a barrier against delegation.  ACL people think
> delegation is not as important as Cap people think it is.  Arguments either
> way tend to be abstract, and thus unconvincing to either side.
> - ACL proponents think that capabilities are too easy to leak accidentally.
>  Cap people think that the defenses provided by capability design patterns
> provide plenty of protection, but ACL people disagree.  Argument either way
> again tend to be abstract, and thus unconvincing.

I have no problem with offering a feature like UM in CORS. My objection is 
to making the simple cases non-trivial, e.g. by never including Origin 
headers in any requests.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 17 December 2009 20:59:36 UTC