Fastly have done some fantastic work in this area, it's great to hear about it! I would like to warn about putting more than one capability into a credential. Once you do this, the lovely mathematical properties that object-capability systems grant you don't entirely hold, even if the weakness is nicely scoped. Being able to re-use one credential for a different resource is at the root of a wide variety of vulnerabilities, especially attacks involving enumeration or ibac.
Insightful talk, I would love to see better alternatives to JWT become common. However server side sessions still seem like a solid alternative, with far fewer problems/attack surface than any of the signed token approaches discussed.
This is a bit of a rabbit hole, as the distinction isn't always quite so clear. Yes, the card names a Subject, but at this point in the day, it's unlikely that staff are verifying that the human wearing the card is the subject so named. Indeed, we probably don't even care if they weren't - what we mostly care about is whether someone has paid the appropriate amount for a human to be there. The example more commonly used (and clearer) is the car key, but variety is the spice of life, I guess.
Fastly have done some fantastic work in this area, it's great to hear about it! I would like to warn about putting more than one capability into a credential. Once you do this, the lovely mathematical properties that object-capability systems grant you don't entirely hold, even if the weakness is nicely scoped. Being able to re-use one credential for a different resource is at the root of a wide variety of vulnerabilities, especially attacks involving enumeration or ibac.
Insightful talk, I would love to see better alternatives to JWT become common. However server side sessions still seem like a solid alternative, with far fewer problems/attack surface than any of the signed token approaches discussed.
Server side sessions are also a big headache, and more challenging to scale, especially cross-region.
Isn’t the fact that he has a black card authorization and not authentication?
This is a bit of a rabbit hole, as the distinction isn't always quite so clear. Yes, the card names a Subject, but at this point in the day, it's unlikely that staff are verifying that the human wearing the card is the subject so named. Indeed, we probably don't even care if they weren't - what we mostly care about is whether someone has paid the appropriate amount for a human to be there.
The example more commonly used (and clearer) is the car key, but variety is the spice of life, I guess.