[Cryptography] Do capabilities work? Do ACLs work?

[Rob Meijer]

2015-02-12 19:38 GMT+01:00 Jerry Leichter <leichter at lrw.com>:

> On Feb 12, 2015, at 3:12 AM, Rob Meijer <pibara at gmail.com> wrote:
>
> The reason Unix uses ACLs is because it was conceived in a time that it
> was suitable for time sharing systems where the software was trusted but
> other users could not. The model however is completely useless when as is
> mostly the case, the users can be trusted but the software they are running
> can not.​...
>
> I doubt this explanation.  The reason Unix (and Windows, and VMS) went
> with ACL's is that they were a relatively simple extension to what they
> already had:  Information on the files that defined access for well-defined
> groups of users.
>

​ACL' s are not an extension of the UGO system, the UGO system is an
example of a trivial and limited ACL system. But anyway, lets not get in a
semantics discussion.  My point is that systems like these found their
origin in the days of timesharing and the days before malware. A time when
having access control at the granularity of groups and users made sense. In
that setting, the out of band attribute of resource approach to access
control made perfect sense. So now as a result of that legacy, we are still
pretty much stuck with a system that has become rather a kludge when trying
to solve the  security concerns that arise on systems where the software
run by the users is trusted significantly less than the users themselves.
In today's thread landscape I would argue,  without the burden of  backward
compatibility, the choice for capabilities would have been obvious and non
of these systems would have opted for ACL based systems.



>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150212/20959a0a/attachment.html>