[E-Lang] ACLs + delegation

Mark S. Miller markm@caplet.com
Mon, 29 Jan 2001 01:53:02 -0800

At 05:15 PM Friday 1/26/01, David Wagner wrote:
>Jonathan S. Shapiro wrote:
>>It's a perfectly okay design, but it isn't an ACL system
>>anymore. It also, in practice, is an infeasible design.
>Well, ok, what shall we call it?  I'll try to adapt to whatever
>nomenclature you prefer. [1]

Oops, I should have read this first, before issuing the challenge in my 
previous email.  Ignoring implementation issues, and ignoring single machine 
vs distributed system issues, once you add such a delegate primitive, you 
are in the same semantic territory as SPKI.  SPKI isn't easily classified. 
With the do-not-delegate (dnd) bit stuck at ON, it may be an ACL system (and 
a successfully distributed one at that).  With is stuck to OFF, it 
*resembles* a capability system, as explained in the Ode, though it still 
has major differences which lead it to be susceptible to confused deputy, 
and incapable of confinement, as explained in the Ode.  I'd guess your 
proposal is essentially the same as this dnd:=OFF variant of SPKI.

The incomplete thread on the CapCert proposal is an attempt to make a 
SPKI-inspired system that fixes these deviations from capabilities while 
adding Nikita-inspired active messages, and to examine the hypothesis that 
none these deviations from pure capabilities added any value.  Having not 
yet pulled that proposal together, I'm not yet able to make that case.  
Please stay tuned.

>But what's of much more interest to me than semantics is a technical
>question: What's the matter with designs that combine ACL's and
>delegation?  For instance, what's broken about my proposal?

If I understand it, then I'd say that, compared to ACLs, it's great.

Compared to capabilities, like SPKI, it is incapable of confinement, and, 
because it separates designation from authority, is vulnerable to confused 
deputy.  As explained in the CapCert thread (I can find the message if you 
wish), because it separates authorization from invocation, it's vulnerable 
to confused deputy again.

I do think the Confused Deputy is one of the most profound, and 
unfortunately, one of the most subtle, of all computer security parables.

>I'm very interested to learn what makes it infeasible.  Maybe this will
>help me to better understand the feeling on this list that ACL systems
>are broken and capabilities are the right way to go.

If I understand it, then I wouldn't say it's infeasible.  In fact, like 
SPKI, it seems like a feasible system that's better than ACLs.  I'm just 
saying that capabilities are better on all practical grounds, even ignoring 
implementation complexity and efficiency issues.