[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaand
ScottSmith of Johns Hopkins)
Mark S. Miller
markm@caplet.com
Tue, 23 Jan 2001 07:59:43 -0800
At 05:56 AM Tuesday 1/23/01, Jonathan S. Shapiro wrote:
>No it isn't. The problem is that I have some object A. I give cap(A) to
>you intentionally and correctly. I give cap(A) to Fred by accident. If I
>revoke A, then the copies of cap(A) that I gave to you get lost too.
>
>Unfortunately, the feasible recovery strategies introduce some very
>serious security issues.
>
>There really is a valid argument for some form of ACL here.
If you are the kind of creature (such as a person operating a UI) that might
mistakenly give out capabilities, realize their mistake, and try to recover
from it, then you (the human) or your computational support system (the
security supporting UI, forward reference to Walker, Yee) should by default
manufacture and hand out a separately revocable capability for each separate
granting action.
Then, the above situation could only arise when the "I" above also
mistakenly overrides this default policy, or when the "I" isn't capable of
such regret (a normal object), and so didn't pay the costs for this extra
bookkeeping.
Cheers,
--MarkM