[Thank you for morphing me onto this list, and for the context set.]
At 03:53 PM 11/1/99 -0500, shapj@us.ibm.com wrote:
>
>Personally, I don't care for the locks and keys metaphor. A lock is
>generally assumed to have a single key, so the metaphor doesn't really
>describe what ACL systems do. Also, several ACL systems have "exclude this
>principal in spite of other rules that might allow them" facilities.
>
I don't know if this will alter the framing of the topic or not:
The idea of a single key was, at least, the opposite of what I was assuming. I was assuming that the basic lock requires at least two keys to open, like the safety interlock required before arming an ICBM. This means that no principal can single-handedly compromise a significant capability.
If we define ACLs as policies which operate in the space of pairs {action opportunity, agent candidate} does this change any of the feasibility calculations? The basic idea of ACLs is that one wishes to extend an action opportunity to the class of agents satisfying some query. So long as the verification of query satisfaction is done in a trusted computation, why not?
If you are worying about flesh and blood agents improperly transferring secrets, you make biometrics part of the authentication protocol. No?
Al