Communicating Conspirators
Thu, 18 Nov 1999 15:27:50 -0500

> Since ACLs *can* express the idea of non-transferability, they permit
> (indeed, encourage) the expression of fraudulent security promises.

Once again, we need to be clear about who the actor is.  Non-transferable
powers do not exist in the human sense. You cannot be prevented from
telling me a secret if we can communicate.  Ownership (i.e. title) is a
social abstraction, and quite another matter it is useful not to confuse
the two.

However, we *can* specify and enforce policies in which *programs* are not
permitted to transfer powers. In this sense the ACL mechanism is not

I think that the philosophical problem with ACLs is not that they describe
unenforceable policies (they do not), but rather that tagging programs with
something called a "user id" conveys a deeply misleading intuition about
what policy and protections are actually being enforced by the mechanism;
the reality has nothing to do with users. Also, all of the commodity ACL
implementations are broken.

Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 6576