[cap-talk] More Heresey: ACLs not inherently bad

[lists at notatla.org.uk]

"Jonathan S. Shapiro"  wrote:

> >  when a  
> > cap passes from the graph to the principal, that access level is  
> > provided through a facet; in the other direction, the cap is unwrapped/ 
> > converted to the 'base' state that lives in the graph.

> OK. Now can you explain how, when one of the wrapped capabilities gets
> passed from one user of the data set to the next, and the first user's
> access is revoked while the second user still holds the descriptor, the
> second user's access rights through the descriptor are preserved?

Suppose you can send a request over this descriptor asking for
another descriptor (like this one but useable outside the facet)
to be passed back in the reply?  Then the provider can revoke the
first and retain the second.  PKI can auhenticate the users - so
it's really the second user and not the first again.  (A possible
reply would be "No; keep using this one" which would preserve the
ability of the first user to revoke the second.)

If everybody makes this request as a matter of course on caps they
receive indirectly the 2nd user won't need to know that revocation
is coming for the first before he does it.

And to keep the properties of the facet unchanged the provider MAY
generate a new facet that matches the old one based on evidence of
the client sending one request of every type they might want
(that assumes a reasonably short list of them) with an "ignore bit" set.

I'm sure there are cases this wouldn't help with, the PKI is a pain
and a facet can obstruct a "new descriptor" request.