[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)

Mark S. Miller markm@caplet.com
Fri, 26 Jan 2001 16:40:22 -0800

At 12:43 AM Thursday 1/25/01, David Wagner wrote:
>There's nothing about ACL's that forces you to do all-or-nothing
>delegation.  In fact, if you look at, say, Unix file permissions (an
>ACL system), delegation is not all-or-nothing: you can hand off just
>read permission, etc.

I think everyone's been missing the more important way in which this example 
is broken -- the identity of the "you" in "you can hand off just read 
permission".  It's only root or the owner of file, not everyone who *has* 
read permission.  This isn't delegation, it's simply ACLs.

Delegation allows Alice to delegate some of the rights she *has*, such as 
the right to read file foo.txt owned by Carol, to Bob, so that Bob can also 
have this right.  In the kind of delegation David means, Alice can only ask 
Carol to extend read permission to Bob (modulo group granularity and the 
other issues on this thread) and hope for the best.  (Or she can work around 
the security system by proxying read requests from Bob, which we won't 
consider further in this note.)

If Carol might refuse or take a long time to decide (as when human judgement 
is involved), then Alice may not reasonably engage in the principle of least 
authority when invoking Bob.  Instead, in Unix, Alice will probably simply 
exec Bob, allowing Bob to operate with Alice's principle as his principle, 
simply merely because Alice needed to allow Bob to read this one file, and 
could not *delegate* this permission to him without Carol's intervention.

SPKI (without the unenforceable do-not-delegate bit) is a fascinating and 
disturbing middle ground between ACLs and capabilities, but at least it does 
allow real delegation adequate to support the principle of least authority.