[cap-talk] More Heresey: ACLs not inherently bad
Kevin Reid
kpreid at mac.com
Tue Oct 7 08:21:34 CDT 2008
On Sep 17, 2008, at 7:51, Jonathan S. Shapiro wrote:
> On Wed, 2008-09-17 at 07:16 -0400, Kevin Reid wrote:
>> The membrane holds a table of nodes and access levels;
>
> The graph structure is not static.
Are you saying that the access control rules depend on the graph
structure, beyond the obvious that if there wasn't ever a reference to
node K from a node Alice holds then Alice can't access K?
In particular, must Alice's access to item /Q/K be revoked if she
holds a direct reference to K (gotten from Q), and K is deleted from
directory Q?
If not, then I don't see how the fact that the graph structure is not
static affects the access decisions the membranes make (though the
fact that the *ACLs* per node are not static does, of course).
>> when a cap passes from the graph to the principal, that access
>> level is provided through a facet; in the other direction, the cap
>> is unwrapped/converted to the 'base' state that lives in the graph.
>
> OK. Now can you explain how, when one of the wrapped capabilities
> gets passed from one user of the data set to the next, and the first
> user's access is revoked while the second user still holds the
> descriptor, the second user's access rights through the descriptor
> are preserved?
> ...
> But the solution requires that all interactions between users
> proceed through the membrane mechanism. This precludes, for example,
> my emailing a descriptor to another member of the working group.
My solution would be that each user can ask their own membrane to
convert a capability through somebody else's membrane into one through
their own.
--
Kevin Reid <http://homepage.mac.com/kpreid/>
More information about the cap-talk
mailing list