[cap-talk] More Heresey: ACLs not inherently bad
Jonathan S. Shapiro
shap at eros-os.com
Thu Sep 11 04:47:13 CDT 2008
On Wed, 2008-09-10 at 14:45 -0700, Jed Donnelley wrote:
> The returning of a "filtered" capability for every fetch is not
> significantly different from the "deep read-only"...
You misunderstand me. It is not the returned capability I am proposing
to filter. That is useful, but it is a mostly orthogonal issue. What I
am proposing to filter is the name space that is visible to the fetch
operation.
The performance issue is that building a per-exec custom directory tree
potentially containing thousands of entries is prohibitive. This
certainly would not work in KeyKOS either.
Because of the scaling factors and the fact that human usage conventions
work quite well on human-comprehensible name spaces, this is a case
where "subtracting what you don't want" is probably a better approach
than "insert only what you should have".
More information about the cap-talk
mailing list