[cap-talk] More Heresey: ACLs not inherently bad

[ihab.awad at gmail.com]

On Sat, Aug 30, 2008 at 6:54 PM, Jonathan S. Shapiro <shap at eros-os.com> wrote:
> It is very easy in a capability system to transfer O(1) authorities. But
> once you get much above that you find that you need to introduce some
> form of namespace for the capabilities being transferred. This is, in
> essence, a file system. If you want to transfer the entire file system
> then we are back to the O(1) simple case. Unfortunately, if you want to
> transfer some subset of a large collection, you are forced to
> dynamically build a large collection.

If one were to model each transfer of control (e.g., forking) as a
procedure call, the question boils down to asking, how does one pass a
bunch of parameters? One encounters this problem in software
engineering all the time. There are two points to consider --

1. Once procedures start to have seven parameters, we wonder if there
is some abstraction that we are missing. Searching for and building
that abstraction makes our lives better once more. Note that I assume
the creation of this dynamic abstraction as an *object* is possible;
in other words, I assume we are talking about *object* capabilities.
If we aren't then all bets are off. :)

2. One "answer" to having to pass everything around was to provide
ambient access to a whole bunch of useful little things all over the
place. That created a maintenance hairball, the result of which was
the pretty widespread adoption of DI --

  http://en.wikipedia.org/wiki/Dependency_injection

This was done for testability and general sanity, not security, yet
the end result is vividly similar. Lessons learned from DI about how
to handle a proliferation of useful little parameters while
maintaining the rigor may therefore be applicable.

That all said, I'm not well-versed in DI by any means; is there anyone
on the list who is and can provide insight?

Ihab

-- 
Ihab A.B. Awad, Palo Alto, CA