[cap-talk] A better reference for the "capabilities propagatetoo easily" argument
Toby Murray
toby.murray at comlab.ox.ac.uk
Thu Aug 2 07:43:18 EDT 2007
On Thu, 2007-08-02 at 05:02 +0000, Karp, Alan H wrote:
> MarkM wrote:
> >
> > I accept that this definition is meaningful and internally consistent.
> > However, it differs so completely from historical usage as to be worse
> > than useless. For example, by this definition, even a simple ACL
> > system implements mandatory security: If Alice creates file F, she
> > owns file F. If Alice does not put Bob on F's ACL, then from Bob's
> > point of view, his inability to access the file is mandatory. Try
> > telling any security person not on cap-talk that even conventional
> > ACLs implement mandatory security! (On second thought, please don't
> > try this.)
> >
> That's why my definition refers to "neither party in the rights
> transfer". That would make it mandatory for both Alice and Bob in your
> example.
>
Alan, could you post your definition in full. I'd be interested to
understand it, and in particular this qualification.
Cheers
Toby
More information about the cap-talk
mailing list