[cap-talk] In Defense of Identities - really not
Jonathan S. Shapiro
shap at eros-os.com
Wed Dec 6 15:35:55 CST 2006
On Wed, 2006-12-06 at 13:17 -0800, Jed at Webstart wrote:
> Of course I argue that any permission to an object should convey the
> permission to modify the object's ACL - exactly so as to delegate
> that permission to another subject....
This is exactly what you do *not* want. You want the *ability* to do
this, but not the mandate to do this. There is value (in the form of a
barrier cost created by the need to proxy) in controlling delegation --
and especially so in a shared system like OpenCM where user sessions are
intentionally very short and there is no ability for users to introduce
code (therefore no ability to proxy).
> If you deal with the
> permission to modify an ACL in that why then I argue that you have
> created object-capability semantics with an ACL implementation.
Indeed, but why in the seven hells would anybody build all of that
mechanism if all they wanted was capabilities? I don't understand why
going through all that bother makes any sense.
> >The original OpenCM design
> >did not distinguish these write authority. The later version (which is
> >finally getting cleaned up now) does.
> >
> >The directory example is going to force me to reconsider whether we
> >handled the ACL issue well. I'm beginning to think that we may want to
> >re-open it.
>
> Sigh! Even flap in implementations? Is it any wonder our systems don't
> climb in market leadership? I argue that if your ACL implementation doesn't
> supply object-capability semantics for delegation then your design does
> indeed need to be re-opened!
It doesn't. It won't. That's deliberate, and in the context of OpenCM it
makes sense. MarkM went down this rathole with me years ago, and
reluctantly concluded that the choices we made in OpenCM were better
than capability semantics for this application.
However, there are other constraints operating in the OpenCM case that
may make it extremely unusual. It seems unlikely that it's a
generalizable example, though it also seems like we should examine the
proposition that it might be.
--
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100
More information about the cap-talk
mailing list