[cap-talk] More Heresey: ACLs not inherently bad

[Jed Donnelley]

At 08:30 PM 9/9/2008, Charles Landau wrote:
>Yes, the sub-directories must also be different, unless they happen to
>grant the same access...
>Each time you pass a different set of capabilities to a process, you
>construct a new directory-like object that will give access to that set.
>So in general, different processes will receive capabilities to
>different directory-like objects. It needn't use Horton.

Unless I'm not understanding something, it seems to me that it
must be essentially Horton in that any capability fetched
through such a directory-like object given to "new process"
must inherit the "new-process"ness of the capability it was
given - so that future requests (e.g. more fetches) will return
"new process" labeled capabilities and so that in turn when
leaf node capabilities are finally returned they can have
the appropriately limited access (that which should be granted
to "new process" as opposed to "old process").

In this regard it seems to me that the "new process"ness is
essentially an ID/principal.  Perhaps demanding the sort of
dynamic control by ID (as with an ACL) as in Horton is
pushing it further than you intend, but it seems to me that
it's getting awfully close in any case.

Regarding the subject, "ACLs not inherently bad", I
of course agree that if ACLs are implemented with
capabilities (like Horton) that bind designation and
authorization and can be communicated, then "ACL"s
are perfectly fine and reasonable.  It's only when
ACLs produce ambient authority that can't be refined
or that can't be communicated that they seem to me
to clearly cause problems.

I'd be interested in an interactive/white board discussion
of this topic if it could be arranged (e.g. HP some[this?]
Friday?).  I believe that in such an environment a lot of
these devily details could be quickly worked out.

--Jed  http://www.webstart.com/jed-signature.html