[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith
of Johns Hopkins)
Wed, 24 Jan 2001 11:50:04 +0000
David Wagner wrote:
> Mark S. Miller wrote:
> >At 05:56 AM Tuesday 1/23/01, Jonathan S. Shapiro wrote:
> >>There really is a valid argument for some form of ACL here.
> >[Use separately revocable capabilities]
> What's the difference?
> (It's not transferability: ACL's and capabilities both have the
> same power with respect to giving a copy of your privileges to others.)
The difference is that if I delegate my identity to a person or program,
they can do _anything_ I'm entitled to do according to the ACLs. If I
delegate a capability (revocable or otherwise) they are only entitled to
do the operations the capability permits. In other words a capability
only maps to an ACL if I have a separate identity for each facet of each
object I operate on - in other words, they don't map at all, except in
the wildest of theory.
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff