[Cryptography] Do capabilities work? Do ACLs work?
Nico Williams
nico at cryptonector.com
Wed Feb 11 12:49:59 EST 2015
On Wed, Feb 11, 2015 at 07:15:38PM +1300, Peter Gutmann wrote:
> ianG <iang at iang.org> writes:
> >Also, the users continue to demand ACLs.
>
> I don't think users demand ACLs (or capabilities), they demand some means of
> doing things like "make sure the competition doesn't get hold of our business
> plans" or "make sure no-one outside payroll and the employee concerned can see
> pay details". Whether you use ACLs, capabilities, or nasally-housed demons
> doesn't really matter.
>
> Having said that, ACLs are better-suited to expressing most of what users want
> then capabilities. The reason why both Unix and Windows use groups and
> permissions the way they do isn't because of a grand anti-capability
> conspiracy, it's because that's the most practical/real-world-applicable way
> to do it.
In particular, ACLs can be audited, while auditing capability tokens
requires looking at running state of entire systems. One of these is
not practical!
Sure capability token usage can be audited, but while that can answer
questions about the past, it doesn't say enough about potential future
events.
Capability tokens are a great mechanism for things that can legitimately
fly under the radar of auditors asking questions like "what can this
user do?".
Capability tokens are not a good mechanism for expressing auditable policy.
Nico
--
More information about the cryptography
mailing list