[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaand ScottSmith of Johns Hopkins)

Jonathan S. Shapiro shap@cs.jhu.edu
Tue, 23 Jan 2001 08:56:22 -0500

Ben Laurie wrote:
> "Jonathan S. Shapiro" wrote:
> > Defense in depth also becomes appropriate for "second chance" security.
> > A major problem with capability systems is: "What do I do *after* I make
> > a mistake?" In the real world, we often know that the recipient does not
> > act immediately. It is desirable to be able to undo an erroneous
> > transmission. This, by the way, is where ACLs come in to play.
> Isn't this trivially solved with revocable capabilities?

No it isn't. The problem is that I have some object A. I give cap(A) to
you intentionally and correctly. I give cap(A) to Fred by accident. If I
revoke A, then the copies of cap(A) that I gave to you get lost too.

Unfortunately, the feasible recovery strategies introduce some very
serious security issues.

There really is a valid argument for some form of ACL here.