[cap-talk] MLS gone bad - now capabilities? (was: NCSC TCSEC) Lampson trashes POLP

Valerio Bellizzomi devbox at selnet.org
Tue Nov 21 08:06:42 CST 2006


On 17/11/2006, at 2.03, Valerio Bellizzomi devbox at selnet.org wrote:

(snip)

>... Each
>user is represented in a system by programs, so I tend to think in terms
>of "programs as principals", since a system only understands code, the
>system does not knows what a user is, the fact that ACL systems give
>identity-based access is only an artifact of implementation, as I see it,
>in an object/capability system, each user is himself a capability, and
the
>system code only understands capabilities.

I mean:

1. The machine does not recognize persons like humans do. The machine's
*notion* of a person is merely an identification code;

2. Capabilities are the *only* permissions mechanism recognized and
enforced by the kernel;

3. The problem of identification code theft cannot be resolved only by
in-system mechanisms, but needs some other external, organizational
mechanism at the human level.

So, we must be very careful when considering the responsibility of the
user.


val




More information about the cap-talk mailing list