BottleCap: a credential manager for capability systems

In distributed systems, capability-based security provides substantial performance and scalability advantages over traditional user-based authentication. Unfortunately, the usual implementation of this concept in a networked context, the password capability , suffers from problems of uncontrolled rights propagation: once a capability has been issued, its issuer no longer has any control over its delegation. Its password can be disseminated, maliciously or accidentally, in arbitrary ways. This paper introduces BottleCap, a capability container that addresses this problem. Using Trusted Computing technologies, BottleCap binds capabilities to the machine to which they are issued, holding their secrets in sealed storage. Users can still freely wield the rights represented by the capabilities they hold, but cannot discover the secrets underpinning those capabilities, preventing the delegation of the rights they represent except under the supervision of BottleCap.