[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaand ScottSmith of Johns Hopkins)

Mark S. Miller markm@caplet.com
Wed, 24 Jan 2001 15:05:39 -0800

At 02:40 PM Wednesday 1/24/01, Jonathan S. Shapiro wrote:
>> > There really is a valid argument for some form of ACL here.
>> I disagree that ACLs are needed for selective revocation.  One way is to
>> have a system that gives you the ability to clone a capability.  Then you
>> can selectively revoke a single clone and leave the others alone
>I believe that you just re-invented ACLs. You simply attached the tags to
>capabilities rather than to processes. Also, note that your solution
>violates the desired pass-through property.

If you believe this is a reinvention of ACLs, I believe we desperately need 
to see your definition of ACLs.  I can't for the life of me reconcile what 
you seem to be saying here with anything else I believe you to believe. 
(Well, maybe with some things, but not any regarding security.)

What you seem to be saying:

If one adds revocable capabilities to a capability system (an absurdity, 
since capability systems already naturally support revocable capabilities), 
then one has an ACL system.  Certainly, under this definition, I would have 
no object to ACL systems, since they are just relabeled capability systems.

Any such definition would conflict with the definition of ACLs in your 
thesis, where you prove that ACLs cannot confine, whereas capabilities can.  
Is it your belief that by adding revocability, or whatever else it is you 
think Alan is saying, that you thereby lose the ability to confine?

If you respond saying this is indeed your position, could you pgp sign the 
message, so we can have higher confidence that this is indeed Jonathan 
Shapiro speaking?  ;)