Care to explain why? I believe you may be confusing OS-level 'capabilities' implementations (eg. Linux's) with competing 'RBAC' implementations (of which Linux has at least two or three). In fact if you remove the waffle the abstract-level model is the same, and IMHO is that a Wikipedia article should deal with the subject as a whole using the most abstract terminology possible... referencing implementations and their terminological preference is a secondary concern.
A "capability" is, abstractly, a thing. I can send you a message, in that message I can include a capability to access some resource. When you receive the message, you can follow that capability and you'll have access to the resource. Your identity is never checked -- your authority to access the resource is based on your possessing the capability, regardless of who you might be.
RBAC -- role-based access control -- is identity-based. Certain identities have certain roles. Certain roles are allowed to perform certain actions on certain resources. When you access a document in an RBAC system, your identity is determined, then the roles associated with that identity are determined, and then you get access based on whether you have the role.
Capability-based security and identity-based security are mutually exclusive approaches (although you can build a system that does both, for defense in depth).
(See also my very long top-level comment for more background on capabilities and how they are used.)
'Capability' in the system you describe is similar to a token issued (eg. against a session) in an RBAC system. They're just different terminological approaches to the same fundamental problem: how to make dynamic ACLs that are manageable.
You can leave out tokens. You can leave out identities or assume them (eg. IIRC Linux's OS-level capabilities assume this on a per-process or cgroup basis). You can add role-based inheritance, cache, expiry and other features. You can make it mandatory or discretionary. The overall model remains the same, and deserves to be discussed as such.
Reply to below: That all sounds reasonable enough, but possibly confuses academic theoretic fields with the mathematical reality of implementations (not that different, really, and explicable using arbitrary terminological preference) and is full of appeals to authority. It won't do for a holistic explanation, which Wikipedia currently sorely lacks.
Reply to final part of below: Yes, I am aware you are talking about something different to linux caps. Perhaps you can define briefly the difference between an authentication token in any other security system and a capability in the terminology you are using? My interest is in the abstract model, not the implementation. If you are talking about the capsicum implementation, then it's too specific as an OS-level implementation, the sort of thing Laurie encourages ignoring, and will almost certainly die a death of relative obscurity.
... in summary, my view is that they're all just dynamic (feel free to read "glorified") ACLs with differing terminological and philosophical approaches to the management of such. I remain unconvinced of the supposed uniqueness, at the basic model level of abstraction, of the academic field of capabilities based security as you describe them.
The RBAC page you link says nothing about tokens, because tokens are not a fundamental part of RBAC.
It's true that secret tokens commonly appear in security system implementations, and secret tokens usually could qualify as (weak) capabilities by definition. However, usually such tokens are not intended to be used as capabilities, but are rather a practical implementation detail, and the fact that they are transferable is seen as a weakness. E.g. when you log into a web site it stores a cookie on your system which you present back to the server to authorize each request, but abstractly the security model calls for authenticating that each request is coming from you, and the token is being used as a hack to avoid making you sign every request.
Capability-based security is a field of security theory which goes far beyond describing these implementation-detail tokens. In fact, when tokens are used in capability systems, they are again an implementation compromise. A good capability system does not assign authority to a secret sequence of bits, but rather is based on communications protocols where capabilities are explicitly recognized as they pass between contexts. For example, a unix file descriptor is a sort of capability, but its numeric value is not a secret token. It's secure because only the process which possesses the descriptor can access it using that number. You can pass file descriptors between processes, and the OS knows that the transfer is happening and assigns a new number to the object in the new process.
The researchers at the forefront of capability-based security theory, such as Mark Miller, strenuously oppose RBAC. Alan Karp, another researcher, likes to call capabilities "ZBAC" -- "authoriZation-Based Access Control" -- to make explicitly clear that he's talking about a different thing (though I'm not a fan of this acronym personally). Trust me, I know these guys and they will fight hard against any suggestion that their research and RBAC are the same thing.
> You can leave out identities or assume them (eg. IIRC Linux's OS-level capabilities assume this on a per-process or cgroup basis).
Linux OS-level capabilities are NOT capability-based security. This is a common misconception -- Linux/POSIX capabilities were misnamed by people who didn't understand the capability-based security model which predated them. Maybe this is what's confusing you. Indeed, Linux kernel "capabilities" are much more similar to RBAC than to capability-based security.
File descriptors are much closer to being capability-based. Once you have an open file descriptor, you can pass it off to another process. That process will be able to access the file descriptor in the same ways that you could, even if that process doesn't have permission to open the underlying file directly. That's capability-based security. Though, disclaimer: file descriptors are missing a lot of features which are normally considered necessary in a high-quality capability system.
EDIT: Please don't reply by adding new text to the parent post, it's really confusing.
> full of appeals to authority
We're debating the meaning of "capability-based security" and whether it should be merged with "Role-based access control" on Wikipedia. The opinions of the people who have literally spent years or decades of their lives researching these fields is relevant, because they literally defined the terms.
If we were debating whether capability-based security or RBAC is better-suited to a particular purpose, then appeals to authority would be invalid.
> Perhaps you can define briefly the difference between an authentication token in any other security system and a capability in the terminology you are using?
A capability is both a pointer to a resource and a grant of access to that resource. A capability is the subject of an operation.
An authentication token is a thing tacked on to requests indicating that the request was made by some particular user identity. In a way, you could consider it a capability to the user account, where the user account in turn contains capabilities to everything the user can access, and the request receiver digs into that bag and pulls out the needed one automatically in order to authenticate the request -- however, this is convoluted, and not how capabilities are normally used.
A fundamental difference between capability systems and identity systems is "ambient authority". In an identity system, you are authorized to perform a request simply because of who you are. It's "ambient".
Consider how you delegate access to someone else in the two systems:
- In an ACL system, Alice adds Bob to the ACL for a resource, and then asks that Bob to perform an operation on her behalf. However, if Alice is malicious she could request that Bob perform an operation on some other resources which Alice never had access to but Bob did. This is called a confused deputy attack. Bob must carefully check that Alice has the correct permissions on the resource before acting on her behalf.
- In a capability system, Alice sends Bob her capability and then asks Bob to access it. There is no risk of confused deputy because there is no way for Alice to instruct Bob to use a capability that he has but Alice doesn't.
> My interest is in the abstract model, not the implementation.
Then the use of tokens is not relevant.
> If you are talking about the capsicum implementation
I'm not. I'm talking about things like the E programming language, or Microsoft's Midori, or my own Cap'n Proto and Sandstorm.io, or Google Docs invite tokens (an example of an accidental capability system), etc.
> the sort of thing Laurie encourages ignoring
Ben Laurie, who is a friend of mine, would absolutely object to the idea that RBAC and capabilities are the same thing. He is also once of the driving forces behind capsicum so I think you may misunderstand his views on it.
> my view is that they're all just dynamic (feel free to read "glorified") ACLs
Mark Miller et al. explicitly address that belief here:
Of course, if you zoom out far enough, you can argue that anything is basically the same as anything else. But it takes a very liberal definition of "access control list" to include an access control mechanism that does not involve any kind of "list".
> I remain unconvinced of the supposed uniqueness
It's a valid opinion, but you really shouldn't be proposing merging two fields of research on Wikipedia based on an opinion that differs from the experts in said fields.
Apologies, I had to reply in parent as it wouldn't let me reply here.
My goal was to clarify things on Wikipedia. I am not opposed to the idea that x and y and z want to be seen differently, but one should also recognize there are biases in academia and industry that can over-emphasize minute difference (for funding, notability, career, supposed industry USP, etc.). A rose by any other name.
The current Wikipedia content remains terrible to useless and more confusing than a high level overview, IMHO. Since you seem to know so many industry experts, perhaps you would like to write it or we could collaborate? I believe https://en.wikipedia.org/wiki/Computer_security_model or a new comparison-of page would be a good place. It would really be a great contribution.
I would love to help improve descriptions of capability-based security, but I'm unsure if I can do much better than is there now. To me, the existing text seems clear and concise, but perhaps that's because I'm already deeply familiar with the topic. :/
This has been a constant problem for capability-based security researchers: finding the right way to explain the abstract concept such that people "get" it.
- In a capability system, Alice sends Bob her capability and then asks Bob to access it. There is no risk of confused deputy because there is no way for Alice to instruct Bob to use a capability that he has but Alice doesn't.
I don't get this part. Why not? Alice and Bob can still do what they can do, and if Alice is able to send messages to Bob then she can ask Bob to do that very thing. It wouldn't be a confused deputy attack only in that Bob would have to go out of his way to be a confused deputy.
