[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)

David Wagner daw@mozart.cs.berkeley.edu
25 Jan 2001 08:43:47 GMT


Ben Laurie  wrote:
>The difference is that if I delegate my identity to a person or program,
>they can do _anything_ I'm entitled to do according to the ACLs.

Yeah, so don't do that.  :-)

There's nothing about ACL's that forces you to do all-or-nothing
delegation.  In fact, if you look at, say, Unix file permissions (an
ACL system), delegation is not all-or-nothing: you can hand off just
read permission, etc.

The issue of the granularity of delegation seems to be orthogonal to
whether annotations about security privileges are stored at the subject
or object, no?

Note that there *is* a tradeoff between whether the OS (or, more
generally, the agent who enforces access control decisions) has to
be online or not.  In ACL systems, to delegate some of your rights,
typically you have to involve the OS in the transaction, so the OS has
to be online.  In capabilities systems (e.g., attribute certificates),
delegation is often possible without needing the OS to be online.