[cap-talk] More Heresey: ACLs not inherently bad

Toby Murray toby.murray at comlab.ox.ac.uk
Thu Sep 18 12:09:35 CDT 2008

On Thu, 2008-09-18 at 12:28 -0400, Jonathan S. Shapiro wrote:
> On Thu, 2008-09-18 at 08:52 -0700, Charles Landau wrote:
> > I take you to mean, the challenge problem does not specify a
> *policy* 
> > for changing permissions.
> Indeed.

I can't see how this challenge is different from saying, "I want to
support arbitrary access policies for a group of users on a graph of
objects atop a pure capability system." Without tying it down somewhat,
the answer to your question will uncontroversially be "We can't do
everything, but none of us (yourself included) have ever tried to argue
that we can. Why care now?" 

What we can do that mimics ACL functionality (e.g. Membranes, NDAs etc.)
we know are obviously less efficient. Fair enough. Hence, even if we
could do arbitrary policies, I expect the answer would be again
uncontroversially that they would be grossly inefficient when compared
to their ACL counterparts.

The counter-point to this comes from the first talk I gave on the NDA
paper you reviewed for JCS. At the end, someone asked "If you're
replicating ACL functionality, won't you re-create all of the problems
they entail, such as the complexity of namespace management, loss of
POLA, etc?" to which I could only answer "Yes". This is important to

Worse performance of ACL-like constructs in capability systems seems
hardly the point, however. We know that capabilities provide much better
support for things that are far more important than supporting arbitrary
policies, such as POLA and writing secure programs. These are things we
need right now and are surely much more important to the current threats
we fact than supporting access control policies that we can't even
articulate. (My counter-challenge to you is to articulate a particular
access policy, or a family of such policies you want to be able to
enforce, see ;)

Please tell me where I'm misinterpreting your challenge, and your
statement that it cannot be solved. I tend to agree with you, however I
agree because it think it holds trivially because its scope is too

Cheers heaps


More information about the cap-talk mailing list