[E-Lang] Re: Jonathan's new consensus proposal

Chris Hibbert hibbert@netcom.com
Wed, 07 Feb 2001 20:59:29 -0700

I sent my response to Jonathan's new consensus proposal privately to
Jonathan in deference to MarcS' request to not start on the next round
yet.  (I wanted to send my reactions right away to save myself the work
of recreating them later.)

Jonathan has asked me to publish them now so he can react publicly.  In
order to show that he didn't violate any expectation of privacy in my
message, I'll accede to his request.  I still think MarcS is right,
though, that it would be better to focus on his proposed statement of
consensus first before working on a second set of issues.


Here's my message to Jonathan:

> I'm responding now to this message so you can react to my responses
> before you next post it, whenever MarcS declares his current round done.
> "Jonathan S. Shapiro" wrote:
> > X) We all agree that there are circumstances in which ACL-type protections
> > can usefully be combined in hybrid form with capability-type mechanisms in
> > order to more efficiently support certain types of security policies (such
> > as MLS).
> I don't understand the point, yet.  I think it bears discussion, and the
> discussion may have already started in a separate thread.
> > X+1) We all agree that one of the key weaknesses in ACLs lies in the fact
> > that real implementations do not (and for reasons of efficiency cannot)
> > conform to the Lampson Access Matrix.
> I believe this.
> > X+2) We all agree that because of the equivalence class reduction mechanism
> > present in all real ACL implementations, it is NOT true in practice that
> > ACLs and capabilities are equivalent **even in the purely static view**.
> Seems right.
> > X+3) We all agree that the types of evolution in the protection graph that
> > arises in capability systems are qualitatively different from the types of
> > evolution that arise in typical ACL systems.
> This wasn't obvious before you explained (maybe that reveals that I
> haven't read your thesis?) but it seems pretty clear just based on your
> short explanation.
> > X+4) We all agree that for any ACL system having an "own" right of the
> > previously described type, in the absence of some other protection
> > mechanism, confinement can be violated in one step (a grant) regardless of
> > the initial access graph configuration.
> Agreed.
> > X+5) We can show that for any ACL system s.t. |domains| < |processes| it is
> > impossible in general to enforce per-process confinement in the absence of
> > additional protective mechanism.
> Pretty convincing.
> > Y) We all agree with the "Principle of Consent" which I will now define: if
> > two parties are communicating, [...], then the recipient of a communication
> > should consent to all receipt of authority [...].
> I agree with this in a normative sense, but I don't understand what it
> has to do with capability security.
> Chris