[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandSco ttSmith of Johns Hopkins)

Karp, Alan alan_karp@hp.com
Fri, 26 Jan 2001 16:06:49 -0800

One essential difference between capbilities and ACLs is that the former
relates to a role and the latter to an identity.  Here's an example from
real life.

Zebra Copy, a small business in Palo Alto and Cupertino, does business with
HP.  Some 2,000 HP employees are permitted to order work from them.  The
system in place uses ACLs, so Zebra Copy has a database of HP employees and
what each is allowed to do.  Every time an employee changes roles, HP must
notify Zebra Copy, and they must update their database.  HP has some 20,000
such business partners, and Zebra Copy has several hundred companies it does
business with.  What a nightmare.  I thought the person describing this to
me was joking.

If capabilities were used, life would be much simpler.  Zebra Copy would
give HP a capability for each access right.  It would be up to HP to manage
those capabilities.  When someone at HP changed jobs, it would be HP's
responsibility to make sure that the capability was transferred properly.
Should a capability be stolen or misused, HP would be responsible until it
notified Zebra Copy to revoke it.  Zebra Copy would need only keep one set
of capabilities for each contract; HP would not need to keep suppliers
informed of personnel changes.

Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278

> -----Original Message-----
> From: Ben Laurie [mailto:ben@algroup.co.uk]
> Sent: Thursday, January 25, 2001 3:31 AM
> To: David Wagner
> Cc: e-lang@eros-os.org
> Subject: Re: [E-Lang] Java 2 "Security" (was: Re:
> WelcomeChrisSkalkaandScottSmith of Johns Hopkins)
> David Wagner wrote:
> > 
> > Ben Laurie  wrote:
> > >The difference is that if I delegate my identity to a 
> person or program,
> > >they can do _anything_ I'm entitled to do according to the ACLs.
> > 
> > Yeah, so don't do that.  :-)
> If you are suggesting I should have a different identity for each
> operation, then isn't that just capabilities in disguise?
> > There's nothing about ACL's that forces you to do all-or-nothing
> > delegation.  In fact, if you look at, say, Unix file permissions (an
> > ACL system), delegation is not all-or-nothing: you can hand off just
> > read permission, etc.
> I can? How?
> > The issue of the granularity of delegation seems to be orthogonal to
> > whether annotations about security privileges are stored at 
> the subject
> > or object, no?
> I don't know. I'm finding it hard to think about the question, which
> probably means you are right.
> Cheers,
> Ben.
> --
> http://www.apache-ssl.org/ben.html
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
> _______________________________________________
> e-lang mailing list
> e-lang@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang