> Since ACLs *can* express the idea of non-transferability, they permit
> (indeed, encourage) the expression of fraudulent security promises.
Once again, we need to be clear about who the actor is. Non-transferable
powers do not exist in the human sense. You cannot be prevented from
telling me a secret if we can communicate. Ownership (i.e. title) is a
social abstraction, and quite another matter it is useful not to confuse
the two.
I think that the philosophical problem with ACLs is not that they describe
unenforceable policies (they do not), but rather that tagging programs with
something called a "user id" conveys a deeply misleading intuition about
what policy and protections are actually being enforced by the mechanism;
the reality has nothing to do with users. Also, all of the commodity ACL
Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 6576