Fri, 19 Nov 1999 09:04:55 -0500
> Once again, we need to be clear about who the actor is. Non-transferable
> powers do not exist in the human sense. You cannot be prevented from
> telling me a secret if we can communicate. Ownership (i.e. title) is a
> social abstraction, and quite another matter it is useful not to confuse
> the two.
> However, we *can* specify and enforce policies in which *programs* are not
> permitted to transfer powers. In this sense the ACL mechanism is not
Took me a long time to make sense of this one. The arguments so far
seemed to point in the opposite direction - non-transferable powers
are common among humans but are computationally problematical. The
only way (I can see) to make a meaningful statement of the above is to
read "secrets" wherever it says "powers". Secrets are a proper subset
of powers. Keeping secrets is one mechanism of controlling access to
powers, but not the only mechanism. Given the extreme difficulty of
keeping secrets, this is a good thing.
> I think that the philosophical problem with ACLs is not that they describe
> unenforceable policies (they do not), but rather that tagging programs with
> something called a "user id" conveys a deeply misleading intuition about
> what policy and protections are actually being enforced by the mechanism;
> the reality has nothing to do with users. Also, all of the commodity ACL
> implementations are broken.
I'll drink to that.