[E-Lang] Java 2 "Security" (was: Re:
WelcomeChrisSkalkaandScottSmith of Johns Hopkins)
Mark S. Miller
Fri, 26 Jan 2001 16:40:22 -0800
At 12:43 AM Thursday 1/25/01, David Wagner wrote:
>There's nothing about ACL's that forces you to do all-or-nothing
>delegation. In fact, if you look at, say, Unix file permissions (an
>ACL system), delegation is not all-or-nothing: you can hand off just
>read permission, etc.
I think everyone's been missing the more important way in which this example
is broken -- the identity of the "you" in "you can hand off just read
permission". It's only root or the owner of file, not everyone who *has*
read permission. This isn't delegation, it's simply ACLs.
Delegation allows Alice to delegate some of the rights she *has*, such as
the right to read file foo.txt owned by Carol, to Bob, so that Bob can also
have this right. In the kind of delegation David means, Alice can only ask
Carol to extend read permission to Bob (modulo group granularity and the
other issues on this thread) and hope for the best. (Or she can work around
the security system by proxying read requests from Bob, which we won't
consider further in this note.)
If Carol might refuse or take a long time to decide (as when human judgement
is involved), then Alice may not reasonably engage in the principle of least
authority when invoking Bob. Instead, in Unix, Alice will probably simply
exec Bob, allowing Bob to operate with Alice's principle as his principle,
simply merely because Alice needed to allow Bob to read this one file, and
could not *delegate* this permission to him without Carol's intervention.
SPKI (without the unenforceable do-not-delegate bit) is a fascinating and
disturbing middle ground between ACLs and capabilities, but at least it does
allow real delegation adequate to support the principle of least authority.