[cap-talk] More Heresey: ACLs not inherently bad

Wed Sep 10 11:34:11 CDT 2008

2008/9/10 John Carlson <john.carlson3 at sbcglobal.net>:
>
> On Sep 10, 2008, at 3:30 AM, Jonathan S. Shapiro wrote:
>
>> On Tue, 2008-09-09 at 20:30 -0700, Charles Landau wrote:
>>> Jed Donnelley wrote:
>>>> Sorry - I was clear on that.  I shouldn't have included the leaf
>>>> object in the above <> (see below as to what I was thinking).  What
>>>> I don't understand is how such a directory-like object distinguishes
>>>> between a fetch by the "new process" from a fetch by some other
>>>> process (old process).  Are you imagining some Horton-like mechanism
>>>> where the relevant processes get different capabilities to the
>>>> directory-like object so that the directory-like object can
>>>> distinguish the fetches?
>>>
>>> Each time you pass a different set of capabilities to a process, you
>>> construct a new directory-like object that will give access to that
>>> set.
>>> So in general, different processes will receive capabilities to
>>> different directory-like objects. It needn't use Horton.
>>
>> This is precisely the operation that is both performance prohibitive
>> and
>> (human) complexity prohibitive. It will turn out that humans can't
>> make
>> the necessary decisions to decide what goes in to those directories.
>
> If you use search as a way to create a directory, you can store your
> search terms and a swiss number for the namespace you are searching in
> your object referred to by your capability.
Would work similar to Smart Folders in Mac OS X Leopard, yes?
>  If you are passing
> capabilities as data, you can seal the capability, so that you know
> that when you get the capability back, you can unseal it and know you
> are the originator.
>
> To define the search terms, you may use any method you choose:
> keywords, SQL, XML, etc. etc.
>
> I realize that this has been shot down in the past.  I guess I don't
> get why this is so against the capabilities community idea of a secure
> system.  What is wrong with a query as a capability?  Why must I use a
> method?
>
> If you want a method, store the method name (say as a swiss number)
> along with search terms somewhere and use the method name when you are
> communicating.  I don't really see the difference.  Is there a
> difference?
>
> It really is as simple as what Jed describes in his Managing Domains
> paper.
>
link to that paper please?

So, how are ACL lists on folders and files different from directories
constructed as described above? (Either via search-term smart folder
or directories created for each subject using them)

Perhaps ACLs are preferred due to the ease of common space mapping,
that is users on one
UNIX machine can refer to the same thing because that thing is in an
globally shared namespace. ACLs then work like bouncers' lists at
entrances to some subdirectories.

just my 0.0002 grams of gold ;-)