There's something called "Macaroons" that can be used for this.<p>"Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud" Arnar Birgisson, Joe Gibbs Politz, Úlfar Erlingsson, Ankur Taly, Michael Vrable, Mark Lentczner ; Network and Distributed System Security Symposium, Internet Society (2014)<p><a href="https://research.google/pubs/pub41892/" rel="nofollow">https://research.google/pubs/pub41892/</a><p>"Google's Macaroons in Five Minutes or Less" <a href="https://blog.bren2010.io/2014/12/04/macaroons.html" rel="nofollow">https://blog.bren2010.io/2014/12/04/macaroons.html</a><p>A Javascript implementation: <a href="https://github.com/nitram509/macaroons.js" rel="nofollow">https://github.com/nitram509/macaroons.js</a>
Anyone know when this was released?<p>> largely dismissed by computer security reseachers and practitioners due to a history of misunderstandings<p>seems incorrect now as virtually all web auth systems are capability based
So I haven't been exposed to capability systems before so this might be a dumb question.<p>In an OS like KeyKOS, how does the OS protect against privilege escalation using side-channel attacks similar to how encryption keys are extracted via hardware side-channels?
The main myth we discussed over coffee and biscuits back in the compsci staffroom was .. expensive as all hell on the computers we have now. (a good handwaving often used to say "one day, in the future, somebody will make it work")
Shouldn't permissions ultimately be Turing-complete functions?<p>E.g. you could do fancy things like grant someone access to a folder, and also to all subdirectories whose name starts with "collaboration_".<p>And you can build any kind of permission system with it, if you don't like the power or complexity.