[E-Lang] Proxies in an ACL system

Ka-Ping Yee ping@lfw.org
Thu, 1 Feb 2001 08:56:34 -0800 (PST)


On 1 Feb 2001, David Wagner wrote:
> 
> One way to provide this level of functionality, in either a capability
> system or an ACL system, is to use "proxies".  We write a daemon that
> will run in the background; when it receives a request, it will forward
> that request to Bob and then self-destruct.  The daemon can incorporate
> an access control mechanism to make sure that only Carol can invoke
> the daemon (and we can use either an ACL or a capability to enforce this).

This sounds plausible only until you ask how Bob knows that he is
supposed to obey requests forwarded by the daemon!  Now the daemon
needs an identity and the entity passing it to Carol has to add the
daemon's identity to Bob's ACL.  Are the users of the system then
allowed to create new identities at will?  Do the ACLs simply grow
without bound as more of these throwaway objects are created to
express delegation?  Or are the ACLs somehow garbage-collected?

The issue quickly descends into a deep, dark pit from there...

(...unless you take it to its logical conclusion: in order to
garbage-collect the entries in the ACL, the system needs to
remember, for each subject, on which objects' ACLs it appears,
so that it can update these ACLs when the subject terminates.
And if we store with subjects the identities of the objects
they can access -- we're back to capabilities!)


-- ?!ng

Two links diverged in a Web, and i -- i took the one less travelled by.
    -- with apologies to Robert Frost