[Cryptography] Do capabilities work? Do ACLs work?

[ianG]

On 10/02/2015 04:59 am, Ben Laurie wrote:

> As Bill points out, this is exactly the point of capability systems (he
> didn't say it, but it is what he meant). A long time ago we had a choice
> between ACLs and capabilities, and we chose the wrong thing.
>
> Capability systems do exist, but we also have a lot of ACL-based
> engineering to fix in order to properly use them.


Having watched/worked with capability ideas for a while, I'm of the 
opinion they don't work as well in practice as the theoretical pundits 
would have it.

Also, the users continue to demand ACLs.

So my current view is that what is needed is a hybrid.  At a limited 
sense one can see this with expiries:  a cap with a time limit on it is 
a cap with a "control" on it.

In a more developed sense, my software has lots of caps running around, 
but servers that serve those caps also look at who's asking.  E.g., when 
Bob looks at Alice's photo, the server only grants it if Bob is in 
Alice's A list.

This certainly makes for more complicated software.  But when the judge 
asks, it's much easier to say "only Bob could have seen the photo" than 
anyone with a cap...



iang

ps; a capability in the sense I mean above is implemented by an object 
which is hashed canonically and stored somewhere on the net.  If you 
have the hash, you can ask the store to reveal it.