[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaand ScottSmith of Johns Hopkins)

Mark S. Miller markm@caplet.com
Tue, 23 Jan 2001 07:59:43 -0800


At 05:56 AM Tuesday 1/23/01, Jonathan S. Shapiro wrote:
>No it isn't. The problem is that I have some object A. I give cap(A) to
>you intentionally and correctly. I give cap(A) to Fred by accident. If I
>revoke A, then the copies of cap(A) that I gave to you get lost too.
>
>Unfortunately, the feasible recovery strategies introduce some very
>serious security issues.
>
>There really is a valid argument for some form of ACL here.

If you are the kind of creature (such as a person operating a UI) that might 
mistakenly give out capabilities, realize their mistake, and try to recover 
from it, then you (the human) or your computational support system (the 
security supporting UI, forward reference to Walker, Yee) should by default 
manufacture and hand out a separately revocable capability for each separate 
granting action.

Then, the above situation could only arise when the "I" above also 
mistakenly overrides this default policy, or when the "I" isn't capable of 
such regret (a normal object), and so didn't pay the costs for this extra 
bookkeeping.


        Cheers,
        --MarkM