Macaroons (computer science)
This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages)
|
In computer security, macaroons are authorization credentials that support decentralized delegation between principals.[1]
Macaroons are used in a variety of systems, including the Ubuntu Snappy package manager,[2] the HyperDex data store,[3][4] the Matrix communication protocol, and the Python Package Index.[5]
Claims
[edit]A macaroon is composed of series of "caveats", for example:
- may upload files to /user/A/ (issued by server)
- only to /user/A/album/123 (derived by A)
- only GIFs, up to 1MB (derived by B)
- until noon today (derived by C)
The macaroon model doesn't specify the language for these caveats; The original paper proposes a model of subjects and rights, but the details are left to individual implementations.
Related technologies
[edit]Macaroons are similar to some other technologies.
Compared to JSON Web Token (JWT):
- Holder of macaroon can issue a sub-macaroon with smaller power, while JWT is fixed
- Macaroon is notably longer than JWT
- Macaroon is equivalent to signed JWT, but does not offer equivalent to encrypted JWT
Compared to Certificates
- Macaroons are based on a symmetric model, while certificates on asymmetric
- Macaroons are computationally cheaper and require simpler cryptographic primitives
- Using a macaroon (sent to a server) can disclose some private information held by the macaroon holder, meaning that server must be trusted; Using a certificate means signing a payload using a private key, which is not sent to the server, thus communication with untrusted servers is less risky.
Invalidation
[edit]Implementations need to decide whether the entire macaroon tree is invalidated at once from its root, the server secret key; or if intermediate macaroons are to be blacklisted, comparable to time-bound JWT's.
See also
[edit]References
[edit]- ^ Birgisson, Arnar; Politz, Joe Gibbs; Erlingsson, Úlfar; Taly, Ankur; Vrable, Michael; Lentczner, Mark (2014). "Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud". Proceedings 2014 Network and Distributed System Security Symposium. San Diego, CA: Internet Society. doi:10.14722/ndss.2014.23212. ISBN 9781891562358.
- ^ Nestor, Marius (16 April 2016). "Canonical Announces Snappy 2.0 Ahead of the Ubuntu Core 16.04 LTS Release". softpedia. Retrieved 2016-05-11.
- ^ "Time for Better Security for NoSQL". Hacking Distributed. Retrieved 2016-05-12.
- ^ "My First Macaroon: A New Way to do Authorization". Hacking Distributed. Retrieved 2019-11-22.
- ^ "A new package index for Python [LWN.net]". lwn.net. Retrieved 2019-11-22.