[Cryptography] Do capabilities work? Do ACLs work?
ianG
iang at iang.org
Tue Feb 10 07:52:58 EST 2015
On 10/02/2015 04:59 am, Ben Laurie wrote:
> As Bill points out, this is exactly the point of capability systems (he
> didn't say it, but it is what he meant). A long time ago we had a choice
> between ACLs and capabilities, and we chose the wrong thing.
>
> Capability systems do exist, but we also have a lot of ACL-based
> engineering to fix in order to properly use them.
Having watched/worked with capability ideas for a while, I'm of the
opinion they don't work as well in practice as the theoretical pundits
would have it.
Also, the users continue to demand ACLs.
So my current view is that what is needed is a hybrid. At a limited
sense one can see this with expiries: a cap with a time limit on it is
a cap with a "control" on it.
In a more developed sense, my software has lots of caps running around,
but servers that serve those caps also look at who's asking. E.g., when
Bob looks at Alice's photo, the server only grants it if Bob is in
Alice's A list.
This certainly makes for more complicated software. But when the judge
asks, it's much easier to say "only Bob could have seen the photo" than
anyone with a cap...
iang
ps; a capability in the sense I mean above is implemented by an object
which is hashed canonically and stored somewhere on the net. If you
have the hash, you can ask the store to reveal it.
More information about the cryptography
mailing list