[cap-talk] "ACLs don't" paper rejected from Oakland 09

[Toby Murray]

On Fri, 2009-01-30 at 09:13 -0800, Tyler Close wrote:
>  ACLs
> arrived along with the claim that the access matrix was the "one true
> model of access control", meaning ACLs and capabilities were
> semantically equivalent. Now, I would have thought that in order to
> make a claim that two algorithms are equivalent, you'd have to provide
> some proof that their outputs are also always equivalent. No such
> proof was ever attempted or demanded for the access matrix claim.

The equivalence between ACLs and Capabilities has usually been stated in
contexts where the rules for updating the ACLS or for capability
propagation are unspecified, no?.

>  As
> I've shown in "ACLs don't", the outputs are not equivalent and so the
> equivalence claim is ridiculous (AFAIK, no other paper has ever put
> these two things together).

Two points: are the arguments in "ACLs don't" predicated on any set of
rules for permission propagation, no matter how sound or representative?
(such a rule might be "you can pass a capability only to another subject
that you possess a capability to that allows you to pass such a
capability to it". While sound, representative and useful, if the
arguments about any inequivalence require such a rule, then they don't
necessarily violate the equivalence claims.

I think that CapMyths was the first to argue that ACLs and capabilities
are not equivalent. How do the claims in "ACLs don't" differ from those
in CapMyths? (I really need to re-read "ACLs Don't"..)
 
Cheers

Toby