[cap-talk] automatic policy ... enforcement - hope? -
jed at nersc.gov
Fri Sep 24 14:09:24 EDT 2004
At 09:22 AM 9/23/2004, Tyler Close wrote:
>David Wagner wrote:
>>(For instance, does all the fine-grained security increase
>>the amount of permissions floating around and thereby make security too
>>clumsy or at least somewhat clumsy?)
>I think this question demonstrates a fundamental misunderstanding of the
>If you take a large grained permission and split it into two smaller
>grained permissions, you have not increased the number of permissions in
>your application. The two smaller grained permissions in the new design
>existed in the old design. The only difference is that the old design made
>it impossible to manipulate the two permissions independently. The new
>design gives you the expressive power to manipulate the two permissions
>independently, but does not prevent you from grouping them and treating
>them as a single unit. This kind of grouping is formally known as the
>Facade design pattern.
>When you increase your expressive power, you make a system easier to
>wield, not harder to wield. I find it fascinating that your question
>assumes the exact opposite.
Thanks for the pointer to the Facade design pattern discussions
(Googled). In some sense that is what I was referring to when I noted
earlier that in most of the older generation of capability systems the
explicit management of the capability communication was hidden in library
routines by the time it came to application programmers to do things like
open files, manage directories, fork processes, communicate on the network,
manage displays, etc., etc.
>I was wondering if in your conversations with grey beards, if you could
>also ask the grey beard if they ever became on object oriented programmer.
While I can't be sure what you encompass in that term "object oriented
programmer", I would say that I (representing "grey beard"s here, whew ;-)
have done a fair amount of object oriented programming - through a number
of generations. E.g. enough to know why my friends should be the only ones
with access to my private parts.
>I suspect a causal relationship between those you have not acquired these
>abstraction and composition skills, and those you don't 'get'
>capabilities. I think you have to be a master programmer before you can
>design an access control model for software.
Gosh, I hope not. If that's true then I am afraid our efforts at finer
grained access control may be doomed. Of course again I'm not sure what is
meant my "master programmer", but it sounds pretty exclusive. As noted in
the libraries reference above I believe there are many ways to hide
complexity, and they don't all require master programmer status.
More information about the cap-talk