black-box re-use? (was: Re: [E-Lang] MintMaker with ACLs)
Thu, 01 Feb 2001 07:40:12 -0800
> > Is this difference a necessary consequence of the security models, or a
> > design decision on the part of language designers, or a design decision
> > on the part of the programmers, MarkM(?) and Hal?
> You didn't ask me, but I think it's inherent to the security model.
I didn't mean "I'm asking MarkM and Hal.", I meant "the programmers,
MarkM and Hal". I've always been impressed with your ideas about
programming languages, Tyler, although sometimes only after the fact.
I didn't really believe all those things that you told me in Anguilla
in '99 (threading bad! inheritance bad!) until I spent 9 months
struggling with Java and then 12 months playing with Python.
> The access check is at the subject. If the subject doesn't check,
> there is no check. What else can be said?
Hm. Couldn't I write a "black box" irs extension to HalMint with a
proxy... I make an "irsproxy" principal who has access to...
... Oh, I see that I can't do it without changing the HalMint code
itself, because the access check is inside the HalMint code. As you
Hm. And if I understand correctly, moving the access check outside the
HalMint code and having an access mechanism that could be used,
black-box-style, by either the account owner or by the IRS, would be
ipso facto capabilities instead of ACLs.
Okay, I'm convinced that you can't layer a more restrictive security
policy over a less restrictive one (with black-box re-use of the less
restrictive policy code and of the behaviour code itself) with ACLs the
way that I can with capabilities.
But I need to think (and read) about it more, so y'all keep on talking.
What I think I've learned is that with ACLs I can't separate code that
implements different security policies (for different principals) to
the same behaviour. All code that implements a security policy for a
given behaviour will have to be in the same place -- immediately before
the code that implements the behaviour of the subject.
By the way, I'm amused to note that my normal intuitions align so
closely with capabilities that I assumed I would be able to do the same
thing with HalMint right up until I started typing the code that
I thought would do it.