[cap-talk] The ACL model is incomplete
Karp, Alan H
alan.karp at hp.com
Fri Apr 16 09:39:50 PDT 2010
David-Sarah Hopwood wrote:
> To be precise about that you would have to say which formalization of the
> ACL model you're talking about.
I'm not talking about any particular formalism, just the naïve model of an ACL listing who has what permissions on what resource.
> > Updating the ACL requires stepping outside the model by
> > introducing the concepts of "administrator" and "owner."
> I don't think this is a particularly cogent criticism of real-world systems,
> which always do have some way to update ACLs.
They must, but those mechanisms necessarily go beyond the basic concept. The "owner" entry in an ACL for a resource specifies a permission on the ACL, not the resource. To be consistent, that entry should appear in an ACL for the ACL for the resource. Of course, that ACL would need an ACL of its own, ad infinitum.
> In any case, more important is the fact that the administrator or owner
> becomes a bottleneck in allowing sharing.
Agreed, but that's a separate point that's more controversial in DoD than it ought to be. My goal is to get them questioning their mental model so they'll be more receptive to ideas new to them.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the cap-talk