[cap-talk] More Heresey: ACLs not inherently bad
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Thu Sep 25 05:44:43 CDT 2008
At Wed, 24 Sep 2008 23:18:54 -0700,
Bill Frantz <frantz at pwpconsult.com> wrote:
>
> marcus.brinkmann at ruhr-uni-bochum.de (Marcus Brinkmann) on Wednesday, September 24, 2008 wrote:
>
> >The first thing people
> >will add to a capability system (if they can and care about it) is a
> >root capability that gives access to all other capabilities, and they
> >will use it for all sorts of things.
>
> We faced the problem of maintaining a system when we were using
> KeyKOS for commercial operations (and before when we were designing
> it).
[...]
> To enable this work, we kept keys to basic objects, and developed a
> number of rights amplification patterns. The rights amplification
> patterns are particularly interesting because they maintain the
> original security goal for building the system. That goal was to
> allow two mutually suspicious users, one with a program and one
> with some data, to let the program run on the data with the
> assurance that the program owner would get paid for the use of the
> program (and that the data owner wouldn't be able to steal the
> program), and that the program owner couldn't steal the data.
Given sufficient motivation and financial backing, I can see how these
things can be done. But such strict approaches are not always
economical. Sometimes it is better to lose the data than to unprotect
it, but often it's the other way round.
Not every site installation has a Norm, Bill or Alan at hand for their
convenience :)
My point here is that it is important that "universal" systems and
applications bend gracefully in the presence of changing demands.
Thanks,
Marcus
More information about the cap-talk
mailing list