[cap-talk] More Heresey: ACLs not inherently bad

[Jed Donnelley]

At 10:57 AM 9/15/2008, Karp, Alan H wrote:
>Shap wrote:
>
> > Only in the sense that replicating ACLs with Caps isn't an advantage,
> > which probably means that Horton isn't the right approach.
>
>ACLs in conventional systems serve two roles, recording the access 
>policy and making an authorization decision.  It is the latter that 
>leads to many of the problems.  The solutions that have been 
>proposed in this thread, including Horton, separate the two 
>roles.  In each of these solutions, the ACL is checked to see which 
>capabilities to grant, but the actual access is done by invoking a 
>capability.  That approach preserves the advantages of capabilities, 
>such as delegation and no confused deputy, while allowing all the 
>joys of administering ACLs.

Nice summary of something like the 50k foot view of what we seemed to 
come to last Friday Alan.

Unfortunately, it reads to me as if what Jonathan is requiring is a 
Unix compatible interface.  I don't believe you can achieve such 
compatibility using an underlying capability infrastructure without 
significant (we could debate how much "significant" is) 
overhead.  From the perspective of a Unix compatible interface any 
such overhead is an unnecessary cost.  If what you want is exactly 
Unix and no other values are worth any extra overhead (e.g. simple 
individual object delegation via messages for better POLA, binding of 
delegation and authorization to avoid confused deputies, network 
delegation of objects across administrative boundaries, etc.) then it 
seems pretty clear that a minimalist Unix implementation is the right 
technical choice.

It's interesting to me that this is about the same position we found 
ourselves in at LLNL circa 1988.  We were able to argue from a 
somewhat stronger position because we had already emulated our 
previous operating system, LTSS, on a capability infrastructure, with 
acceptable overhead.  Adding a Unix emulation with comparable 
overhead would have been straight forward.  However, at that point we 
would have an operating system which, while it would provide the 
needed LTSS and Unix APIs, we would have to continue to support.  We 
had no prospect of selling the nascent open source community on our 
system, so a lower cost approach was to develop LTSS compatibility 
libraries for Unix.

The above suggests to me (as similar arguments have in the past) that 
it will require a different interface, not an operating system API, 
to "sell" the capability interface.  I was encouraged by some of the 
discussion last Friday about the developing Webkeys interface(s?).

--Jed  http://www.webstart.com/jed-signature.html