From: Ka-Ping Yee <ping@zesty.ca>
Replying To: David Wagner <daw@cs.berkeley.edu>
Date: Tue, 3 Dec 2002 19:21:24 -0600 (CST)
Subject: Re: [e-lang] capability myths demolished!

On Tue, 3 Dec 2002, David Wagner wrote:
> It depends what you mean by ACLs.  Some ACL systems can readily support
> the same POLA story without requiring the involvement of the superuser.
>
> There's a key principle here:
>   Programs ought to be able to voluntarily relinquish privileges
>   before undertaking certain operations.

Well, sort of.   But the way this sentence refers to "relinquishing"
makes it sound like it's normal to pass on all the privileges you have,
and we are happy if we can have the ability to just turn off a few things.
It's not enough to have a system where you can "relinquish some" privileges.
I'd rather talk about transferring only the privileges you need: tribble

    Programs ought to be able to invoke operations in a way that
    conveys the least necessary privilege. frantz 


-- ?!ng