black-box re-use? (was: Re: [E-Lang] MintMaker with ACLs)
Thu, 01 Feb 2001 07:40:12 -0800

Hi, Tyler!

 Tyler wrote:
> > Is this difference a necessary consequence of the security models, or a
> > design decision on the part of language designers, or a design decision
> > on the part of the programmers, MarkM(?) and Hal?
> You didn't ask me, but I think it's inherent to the security model.

I didn't mean "I'm asking MarkM and Hal.", I meant "the programmers,
MarkM and Hal".  I've always been impressed with your ideas about
programming languages, Tyler, although sometimes only after the fact.
I didn't really believe all those things that you told me in Anguilla
in '99 (threading bad! inheritance bad!) until I spent 9 months
struggling with Java and then 12 months playing with Python.

> The access check is at the subject. If the subject doesn't check,
> there is no check. What else can be said?

Hm.  Couldn't I write a "black box" irs extension to HalMint with a
proxy...  I make an "irsproxy" principal who has access to...

 ...  Oh, I see that I can't do it without changing the HalMint code
itself, because the access check is inside the HalMint code.  As you

Hm.  And if I understand correctly, moving the access check outside the
HalMint code and having an access mechanism that could be used,
black-box-style, by either the account owner or by the IRS, would be
ipso facto capabilities instead of ACLs.

Okay, I'm convinced that you can't layer a more restrictive security
policy over a less restrictive one (with black-box re-use of the less
restrictive policy code and of the behaviour code itself) with ACLs the
way that I can with capabilities.

But I need to think (and read) about it more, so y'all keep on talking.

What I think I've learned is that with ACLs I can't separate code that
implements different security policies (for different principals) to
the same behaviour.  All code that implements a security policy for a
given behaviour will have to be in the same place -- immediately before
the code that implements the behaviour of the subject.

By the way, I'm amused to note that my normal intuitions align so
closely with capabilities that I assumed I would be able to do the same
thing with HalMint right up until I started typing the code that 
I thought would do it.