[e-lang] Comments on securing_python.txt (was: Brett proposes object-capabilities for Python)
Mark S. Miller
markm at cs.jhu.edu
Thu Jul 20 00:52:43 EDT 2006
Brett Cannon wrote:
> The new doc is named securing_python.txt and
> can be
> found through the svn web interface at
> http://svn.python.org/view/python/branches/bcannon-sandboxing/securing_python.txt?rev=50717&view=log
> If people have questions feel free to ask here or me personally.
A first quick comment on your doc:
> There are essentially two types of security: who-I-am
> (permissions-based) security and what-I-have (authority-based)
> security.
I think this mixes up two distinctions.
I like your term "who-I-am security" for identity-based access control systems
(IBAC), such as the typical use of ACLs. And I like "what-I-have" security for
authorization-based access control systems (ABAC), such as the typical use of
object-capabilities.
However, "permission" vs "authority" labels a largely orthogonal distinction,
having to do with the form of access rights one is analyzing. Both who-I-am
and what-I-have systems have both permission and authority, and both kinds of
systems should be analyzed in terms of both forms of access rights.
In the Caretaker example in my talk, Bob has permission to access the
caretaker, and (until Alice revokes) authority to access Carol. In an
object-capability system, a capability itself is a permission. Likewise, in an
ACL system, an ACL entry is a permission. Permission says what actions the
participants can directly cause. To analyze what constraints any security
arrangement imposes on what its participants can actually *do*, i.e., what
*effects* their permitted actions can cause, one must analyze authority. This
is true of both IBAC and ABAC systems.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the e-lang
mailing list