[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)
Thu, 1 Feb 2001 11:01:44 -0000
Nikita Borisov wrote:
> In article <firstname.lastname@example.org>,
> Tyler Close <email@example.com> wrote:
> >David Wagner wrote:
> >> But what's of much more interest to me than semantics is
> a technical
> >> question: What's the matter with designs that combine ACL's and
> >> delegation? For instance, what's broken about my proposal?
> >Your proposal, as I understand it, is to invert the
> capability model,
> >so that all access authorities are held in a central database, as
> >opposed to being held by the subjects.
> In an ACL system, the ACLs are held by the objects, and not
> in a central
The primitive that David suggested was a delegate() system call.
Whether this implementation of this delegate call uses a single
database, or a separate database for each subject is irrelevant. All
of my arguments still apply.
> >Although not stated, I assume that your design also
> requires that all
> >accesses of Bob must be preceded by some sort of system
> >method call, like:
> > authorize(carol_id, bob_id);
> This is not typically the case in an ACL system; instead,
> each access is
> checked by a reference monitor which verifies that Bob's
> ACL includes
> Carol. There's no need to explicitly authorize access.
You deleted the next sentence that came after the authorize spec:
> This authorize() invocation would have to be part of the
> runtime, such
> that is would be impossible for Carol to access Bob without invoking
> Both of the details that you suggest (and then proceed to find fault
> with) are not part of traditional ACL systems; I fail to
> see what part
> of David's proposal necessitates their introduction.
Both of these "details" are inherent (and core) to the functionality
of an ACL system. All of my points apply.