[cap-talk] ACLs: why not have them IN ADDITION to capabilities
John Carlson
john.carlson3 at sbcglobal.net
Sun Jul 30 18:10:07 EDT 2006
Much is said on this list about the "evils" of ACLs. But why can't
we have them IN ADDITION to capabilities? Do they break the
capability model in some way? What I am thinking the answer
is that ACLs grant too much authority. Is there some way to fit
ACLs into a capability framework (instead of vica versa). If you
have somewhere in your system, a notion of user, then
you could write custom logic that would test for the user. What
I am thinking of is using client side certificates to authenticate
users. The capability being passed to another user *might*
send with that capability the user who was originally
granted the authority. Then in some ways, we could track
where the capability travelled to (which we can do anyway),
and who was responsible for a capability leak.
This sounds like an administrative nightmare for most systems,
but adding the notion of user may help sell capabilities in
some circles.
John
More information about the cap-talk
mailing list