[cap-talk] More Heresey: ACLs not inherently bad

[David-Sarah Hopwood]

Jed Donnelley wrote:
> At 08:30 PM 9/9/2008, Charles Landau wrote:
>> Yes, the sub-directories must also be different, unless they happen to
>> grant the same access...
>> Each time you pass a different set of capabilities to a process, you
>> construct a new directory-like object that will give access to that set.
>> So in general, different processes will receive capabilities to
>> different directory-like objects. It needn't use Horton.
> 
> Unless I'm not understanding something, it seems to me that it
> must be essentially Horton in that any capability fetched
> through such a directory-like object given to "new process"
> must inherit the "new-process"ness of the capability it was
> given - so that future requests (e.g. more fetches) will return
> "new process" labeled capabilities and so that in turn when
> leaf node capabilities are finally returned they can have
> the appropriately limited access (that which should be granted
> to "new process" as opposed to "old process").

No, there's no need for that. You give the new process its own
directory. It can delegate the directory however it wants. If it
chooses to delegate it directly (rather than via any Horton-like
mechanism) to an "old" process, that's fine; the directory doesn't
need to, and shouldn't, behave differently in that case.

Horton is useful when you want to track delegations between
principals and allow selective revocation for a given principal.
It's not necessary simply to support aggregating authorities,
which was the focus of this subthread.

-- 
David-Sarah Hopwood