[cap-talk] "ACLs don't" paper rejected from Oakland 09
Toby Murray
toby.murray at comlab.ox.ac.uk
Sun Feb 1 18:01:33 CST 2009
On Sun, 2009-02-01 at 14:38 -0800, Jed Donnelley wrote:
> 4. I really like this paragraph:
> __________
> In contrast to the ACL reference monitor, the capability
> reference monitor performs access checks earlier
> in the call chain of messages, when the principal
> designating a particular object is still known. The
> result of an access check is reified as a capability that
> can be transferred to other principals, and so used in
> messages that combine the permission with those of
> the other principals. A message at the end of such
> a call chain may exercise permissions contributed by
> many principals, each one authorizing some specific,
> smaller part of the requested operation. In a capability
> language, this construction of messages from capabilities
> is expressed using the language's normal argument
> passing syntax.
> ___________
>
> I believe that paragraph contains the essence of the
> problem that you're pointing out.
So do I. Comments from others in this thread would appear to agree. I'd
consider a refactoring of the paper that puts this claim
front-and-centre.
Cheers
Toby
More information about the cap-talk
mailing list