[E-Lang] Summary for Practical Programming

David Wagner daw@mozart.cs.berkeley.edu
2 Feb 2001 00:51:16 GMT

Marc Stiegler wrote:
>4. We all agree that capability systems lend themselves more easily to code
>reuse than ACLs because you don't have to go back into the existing code to
>create new mechanism for new refactored forms of security, you can just wrap
>the existing system in a capability disciplined way.

Well, I'd like to see this one explained a little futher before
I'm convinced.

(If there's an existing essay that tries to advance this point,
feel free to point me to it and tell me to RTFM!)

>6. We all agree that POLA is an inherent characteristic in the nature of
>capability systems,

I'm unconvinced, so far (but am open to supporting arguments).  As far
as I can tell, the POLA seems to be in the way you use the protection
system; it's not a necessary consequence of using (say) capabilities.
If you phrased this a little more carefully -- e.g., "capabilities are
one way to enable programmers to follow the POLA" -- I would be more
inclined to agree.

>For an Practical Programmer reading this summary, then, I personally would
>draw the following conclusion: if  you want to build a complex flexibly
>secure system starting this afternoon, the place to start is either with E
>or with EROS or with both. Starting with Unix and C++ is just a bad choice.

Heh, well, you probably won't be surprised if I say that I haven't yet
been convinced that this follows from your other claims.