[Cryptography] Do capabilities work? Do ACLs work?
Rob Meijer
pibara at gmail.com
Thu Feb 12 03:12:50 EST 2015
2015-02-11 7:15 GMT+01:00 Peter Gutmann <pgut001 at cs.auckland.ac.nz>:
> ianG <iang at iang.org> writes:
>
> >Also, the users continue to demand ACLs.
>
> I don't think users demand ACLs (or capabilities), they demand some means
> of
> doing things like "make sure the competition doesn't get hold of our
> business
> plans" or "make sure no-one outside payroll and the employee concerned can
> see
> pay details". Whether you use ACLs, capabilities, or nasally-housed demons
> doesn't really matter.
>
> Having said that, ACLs are better-suited to expressing most of what users
> want
> then capabilities. The reason why both Unix and Windows use groups and
> permissions the way they do isn't because of a grand anti-capability
> conspiracy, it's because that's the most practical/real-world-applicable
> way
> to do it.
>
>
I think that what most users want is more likely to be 'integrity' than
'expression'. Capabilities allow 'programmers' more and granularity
agnostic expression that is impractical or even impossible with ACL. In the
current technological reality, neither ACL nor capabilities can solve
'confidentiality' in a way that yields a system that is both secure and
usable. At least capabilities can get us 'integrity' part. The reason Unix
uses ACLs is because it was conceived in a time that it was suitable for
time sharing systems where the software was trusted but other users could
not. The model however is completely useless when as is mostly the case,
the users can be trusted but the software they are running can not.
Rob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150212/9c3a3d26/attachment.html>
More information about the cryptography
mailing list