[cap-talk] "ACLs don't" paper rejected from Oakland 09
Toby Murray
toby.murray at comlab.ox.ac.uk
Tue Feb 3 08:55:14 CST 2009
On Tue, 2009-02-03 at 14:03 +0000, David-Sarah Hopwood wrote:
> Toby Murray wrote:
> > In the ACL case, User's permissions are {Compiler.compile(x) | x denotes
> > any string}. In the capability case, User's permissions are
> > {Compiler.compile(Compiler)}. How do we know that these are, in fact,
> > different? We're not comparing apples with apples, since the text
> > strings have no meaning in the ACL case until interpreted by the
> > compiler.
>
> It doesn't matter how file designators are represented in the ACL system
> [2]. The point is that, regardless of their representation, there is no
> restriction on constructing and sending a message containing those
> designators.
Nor is there in a cap system. I should have written that the User's
permissions in the cap system case are {Compiler.compile(Compiler)}
union X, where X denotes the User's permissions in the ACL case.
In this sense, under your definition, User's permissions are greater in
the cap case than in the ACL case. It is the user's authority that is
greater in the ACL case, however, since being able to send strings to
the compiler does not increase the user's authority.
Hence, I'd argue that there is a difference in permissions, but not the
one you were pointing to. The crucial difference still lies in the
user's authority.
Cheers
Toby
More information about the cap-talk
mailing list