[cap-talk] More Heresey: ACLs not inherently bad
Karp, Alan H
alan.karp at hp.com
Mon Sep 15 12:57:53 CDT 2008
Shap wrote:
>
> Only in the sense that replicating ACLs with Caps isn't an advantage,
> which probably means that Horton isn't the right approach.
>
ACLs in conventional systems serve two roles, recording the access policy and making an authorization decision. It is the latter that leads to many of the problems. The solutions that have been proposed in this thread, including Horton, separate the two roles. In each of these solutions, the ACL is checked to see which capabilities to grant, but the actual access is done by invoking a capability. That approach preserves the advantages of capabilities, such as delegation and no confused deputy, while allowing all the joys of administering ACLs.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list