[E-Lang] ACLs + delegation
Mark S. Miller
Mon, 29 Jan 2001 01:53:02 -0800
At 05:15 PM Friday 1/26/01, David Wagner wrote:
>Jonathan S. Shapiro wrote:
>>It's a perfectly okay design, but it isn't an ACL system
>>anymore. It also, in practice, is an infeasible design.
>Well, ok, what shall we call it? I'll try to adapt to whatever
>nomenclature you prefer. 
Oops, I should have read this first, before issuing the challenge in my
previous email. Ignoring implementation issues, and ignoring single machine
vs distributed system issues, once you add such a delegate primitive, you
are in the same semantic territory as SPKI. SPKI isn't easily classified.
With the do-not-delegate (dnd) bit stuck at ON, it may be an ACL system (and
a successfully distributed one at that). With is stuck to OFF, it
*resembles* a capability system, as explained in the Ode, though it still
has major differences which lead it to be susceptible to confused deputy,
and incapable of confinement, as explained in the Ode. I'd guess your
proposal is essentially the same as this dnd:=OFF variant of SPKI.
The incomplete thread on the CapCert proposal is an attempt to make a
SPKI-inspired system that fixes these deviations from capabilities while
adding Nikita-inspired active messages, and to examine the hypothesis that
none these deviations from pure capabilities added any value. Having not
yet pulled that proposal together, I'm not yet able to make that case.
Please stay tuned.
>But what's of much more interest to me than semantics is a technical
>question: What's the matter with designs that combine ACL's and
>delegation? For instance, what's broken about my proposal?
If I understand it, then I'd say that, compared to ACLs, it's great.
Compared to capabilities, like SPKI, it is incapable of confinement, and,
because it separates designation from authority, is vulnerable to confused
deputy. As explained in the CapCert thread (I can find the message if you
wish), because it separates authorization from invocation, it's vulnerable
to confused deputy again.
I do think the Confused Deputy is one of the most profound, and
unfortunately, one of the most subtle, of all computer security parables.
>I'm very interested to learn what makes it infeasible. Maybe this will
>help me to better understand the feeling on this list that ACL systems
>are broken and capabilities are the right way to go.
If I understand it, then I wouldn't say it's infeasible. In fact, like
SPKI, it seems like a feasible system that's better than ACLs. I'm just
saying that capabilities are better on all practical grounds, even ignoring
implementation complexity and efficiency issues.