[cap-talk] "ACLs don't" paper rejected from Oakland 09

[David-Sarah Hopwood]

Toby Murray wrote:
> On Tue, 2009-02-03 at 13:18 +0000, David-Sarah Hopwood wrote:
>> Toby Murray wrote:
>>> On Mon, 2009-02-02 at 17:10 +0000, David-Sarah Hopwood wrote:
>>>> Toby Murray wrote:
>>>>> All equivalence claims between caps and ACLs are about expressible
>>>>> static configurations of permissions. In this case, they *are*
>>>>> equivalent -- both can express the same static configurations of
>>>>> permissions.
>>>> This is false, because in the capability case, the access matrix is
>>>> not an abstraction of all relevant protection state. In a capability
>>>> system, it matters (to the results of access decisions, and therefore
>>>> to the ability to resist classes of attack) which capabilities are stored
>>>> in which variables. This information is not present in the access matrix.
>>> Who says a cap system has variables in which caps can be stored? (In
>>> this case it  wouldn't be an object-cap system but that wouldn't stop it
>>> from being a cap system.)
>> In any capability system, capabilities can be independently designated,
>> regardless of whether the system is type-partitioned or whether it is
>> an object-capability system.
> 
> Iguana and Mungi are counter-examples to this claim. See
> http://archives.devshed.com/forums/development-94/pola-and-mungi-iguana-style-apis-520706.html
[...]
> This doesn't stop them being cap systems, unless you want to narrow the
> definition of a cap system as well.

I do. Considering them to be capability systems weakens the definition
of a capability system too far. I suggest referring to systems in which
permissions can be reified, but that don't follow the same rules as
capability systems in how those permissions are designated and propagated,
"reified permission systems". Capability systems would then be a subset
of reified permission systems.

-- 
David-Sarah Hopwood ⚥