the cost of complexity (was: Re: [E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins))

Mark S. Miller markm@caplet.com
Wed, 24 Jan 2001 08:21:51 -0800


At 07:50 AM Wednesday 1/24/01, Jonathan S. Shapiro wrote:
>You
>may feel that ACLs are a bad protection model, but it is inarguable that we
>can specify their behavior and enforce the specification.

As you know, and I believe agree with, 
http://www.erights.org/elib/capability/conspire.html disputes that the ACL 
security model can be enforced.  

Of the subset of ACLs that can be enforced, the only part of that subset not 
expressible in capabilities that's been identified is the one Ralph Hartley 
pointed out, also explained on that page.


        Cheers,
        --MarkM