From: "Jonathan S. Shapiro" <shap@eros-os.org>
Replying To: Mark Miller <markm@caplet.com>
Date: Sun, 01 Dec 2002 10:52:41 -0500
Subject: Re: [e-lang] capability myths demolished!

On Thu, 2002-11-28 at 18:23, Mark Miller wrote:
> ACL systems don't necessarily require root authority to add accounts or to 
> modify the ACLs, even though currently deployed ACL systems do require this. 
> Ironically, the "Club" system several of us created at Xanadu -- now 
> largely revived for Jonathan's OpenCM -- is an ACL design with decentralized 
> account creation and authorization.

At present, in OpenCM, you actually do need to be a member of the admin
group to create a new account,  but we are likely to make that a
distinguished group shortly, as the admin group carries other
authorities that we don't want to have quite to widely spread around.

> I know Jonathan has explained to me why he chose to use the "Club" ACL 
> design rather than a capability one for OpenCM, but frankly I remain 
> confused on the matter. I think we would all learn by revisiting this 
> question.  Jonathan?

1. The application demanded revocation in a way whose book-keeping was
much easier this way. 
2. We concluded jointly that the OpenCM ACL model could be expressed in
capability terms.
3. Given the logging requirements of this application, we needed
principal ID (as represented by crypto key) in any case.


shap 

_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang