[cap-talk] Examples where ACLs are a better solution than capabilities
Jed Donnelley
capability at webstart.com
Mon Oct 8 00:32:47 EDT 2007
At 04:00 AM 10/7/2007, Jonathan S. Shapiro wrote:
>... but I actually do agree that there are
>places where ACLs are a better solution (I can hear the cries of
>"heresy" ramping up already).
I seem to remember this discussion once before. However, I think
at least a reminder would be helpful in this case. Can you please
describe a place or two where ACLs are preferable to capabilities
for access control Jonathan?
>Hmm. Taken together, your two statements seem to imply that a
>two-mechanism system might be worthwhile. If so, I suggest that it must
>be a logical AND rather than a logical OR. That is: if both ACLs and
>capabilities are used, BOTH must permit the operation in question in
>order for the operation to proceed.
>
>The problem with either-or systems is that things slip through the
>cracks where (a) the two systems have been configured in subtly
>different ways, or (b) the overlap in what the two systems can express
>is imperfect.
I think I'm starting to get sick. I believe we have evidence of
reasonably successful ACL systems and reasonably successful
capability systems, but I know of no even moderately successful
mixed systems. Perhaps MarkM can help us out here with some
examples that successfully occupy this space?
Of course one of the main points of Horton was to demonstrate
that we can achieve the main values of ACL systems with pure
capabilities. Presumably then the examples where ACL systems
are a better solution go beyond what a mechanism like Horton
can supply.
Seems like a good topic for cap-talk - unless we have been over
these examples before.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list