Communicating Conspirators

Marc Stiegler
Mon, 22 Nov 1999 10:13:37 -0700

> The above [ACLS as coarse-grained capabilities] is not an argument for or
against capabilities or ACLs;
> it's merely an attempt to analyze what it is that may seem so
> seductive about ACLs and maybe help explain source of what Ralph
> Hartley sees as a deficiency in the capabilities model.
> Am i making any sense?

Indeed, ping, you have articulated a view that has been banging around in my
head for years, but which I've never pinned down to clear words and

One deduction: You can make a capability system as attractive as an ACL
system for "nontransferability" by creating only a few God-like
capabilities, in effect daring people to be foolish enough to give them
away. And of course people won't give them away in this
configuration...unless they have a deadline in 2 hours, the boss really
really needs the answer, and there's an expert who can insert the answer
into your presentation in just a few minutes...but since you can't just give
him one power, you'll give him everything, because, sheesh, we just know he
won't abuse it :-)  This system actually works not-too-badly, (hey, I've
done this, and it's always turned out OK)... until our computers start
carrying serious financial instruments, at which point it will fall fairly
horrifically to the ground.