[cap-talk] More Heresey: ACLs not inherently bad

Jed Donnelley capability at webstart.com
Wed Sep 10 16:45:31 CDT 2008


At 03:30 AM 9/10/2008, Jonathan S. Shapiro wrote:
>On Tue, 2008-09-09 at 20:30 -0700, Charles Landau wrote:
>...
> > Each time you pass a different set of capabilities to a process, you
> > construct a new directory-like object that will give access to that set.
> > So in general, different processes will receive capabilities to
> > different directory-like objects. It needn't use Horton.
>
>This is precisely the operation that is both performance prohibitive and
>(human) complexity prohibitive. It will turn out that humans can't make
>the necessary decisions to decide what goes in to those directories.

Why do you believe a human must be involved?  A human need not be
involved in the Horton mechanism, for example.

The returning of a "filtered" capability for every fetch is not
significantly different from the "deep read-only" (at LLNL,
"inheritance", in KeyKOS I've forgotten what it was called, but
I never heard it was a performance concern) mechanism that hasn't
been performance prohibitive.  In any case I believe any such
filtering mechanism could be optimized (e.g. by pushing it down
into a trusted security "kernel") so that it would be simply a
matter of trivial bookkeeping.

I don't understand your concerns Jonathan.  Might be an interesting
topic for an HP meeting?

--Jed  http://www.webstart.com/jed-signature.html 



More information about the cap-talk mailing list