[E-Lang] Java 2 "Security" (was: Re: WelcomeChrisSkalkaandScottSmith of Johns Hopkins)

Jonathan S. Shapiro shap@cs.jhu.edu
Fri, 26 Jan 2001 19:46:31 -0500

David Wagner wrote:
> But it's totally obvious to see how to modify this example to
> build an ACL system which allows delegation that is as fine-grained
> as you like....


It is possible, by modifying any given system sufficiently, to arrive at
absolutely anything. I think I know where you are going with your
design. It's a perfectly okay design, but it isn't an ACL system
anymore. It also, in practice, is an infeasible design.

Also, please note that the set of paper designs and the set of feasible
designs really do not match, and that many of the "perfectly obvious"
modifications of ACL systems (or for that matter, capability systems)
prove to be impossible to implement with even vaguely acceptable
efficiency in practice.

In particular, ACL systems that rely on the dynamic introduction of new
principals are a mess, both for immediate reasons and because the next
move is invariably permission by inheritance, which introduces a very
high order algorithm and potentially unbounded storage allocation
requirements right smack into the middle of the fundamental protection
mechanism. Yuck.