[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)

Tyler Close tclose@oilspace.com
Thu, 1 Feb 2001 11:01:44 -0000

Nikita Borisov wrote:
> In article <000401c08860$e15d4d00$763adbd5@skin.oilspace.com>,
> Tyler Close <tclose@oilspace.com> wrote:
> >David Wagner wrote:
> >> But what's of much more interest to me than semantics is
> a technical
> >> question: What's the matter with designs that combine ACL's and
> >> delegation?  For instance, what's broken about my proposal?
> >
> >Your proposal, as I understand it, is to invert the
> capability model,
> >so that all access authorities are held in a central database, as
> >opposed to being held by the subjects.
> In an ACL system, the ACLs are held by the objects, and not
> in a central
> database.

The primitive that David suggested was a delegate() system call.
Whether this implementation of this delegate call uses a single
database, or a separate database for each subject is irrelevant. All
of my arguments still apply.

> >Although not stated, I assume that your design also
> requires that all
> >accesses of Bob must be preceded by some sort of system
> "authorize()"
> >method call, like:
> >
> >	authorize(carol_id, bob_id);
> This is not typically the case in an ACL system; instead,
> each access is
> checked by a reference monitor which verifies that Bob's
> ACL includes
> Carol.  There's no need to explicitly authorize access.

You deleted the next sentence that came after the authorize spec:

I wrote:
> This authorize() invocation would have to be part of the
> runtime, such
> that is would be impossible for Carol to access Bob without invoking
> authorize().

You wrote:
> Both of the details that you suggest (and then proceed to find fault
> with) are not part of traditional ACL systems; I fail to
> see what part
> of David's proposal necessitates their introduction.

Both of these "details" are inherent (and core) to the functionality
of an ACL system. All of my points apply.