From: Jonathan A Rees <>
Date: Mon, 09 Dec 2002 22:37:06 -0500
Subject: [e-lang] Lampson, ACLs, and capabilities

[Message fragments originally sent just to markm.  I'm re-sending to
e-lang at markm's request.  Edited from the original.   -JAR]

   Date: Sun, 08 Dec 2002 16:07:22 -0800
   From: "Mark S.  Miller" <>

   Could I ask you to expand again on your conversation with Lampson? It's 
   kinda more relevant now than when we talked about it before. 

In 1994, I was puzzled by a couple of security issues, so I consulted
Butler.   One question was why ACL's seem to dominate security
discussions while capabilities were mostly neglected.  His answer was
that people care about their objects, and they want to be able to
easily check whether an object is protected.  ACL's purport to provide
this information.  Capability lists [or sets] don't directly help you
with the question, since you'd potentially have to check every
capability list of every principal to see whether the list contained a
capability that might allow access to the object.  To avoid such an
exhaustive check requires sophistication: knowledge of history and/or
some kind of inductive argument.

I had a followup conversation some years later - I think I was telling
him about E - in which he acknowledged that for both performance and 
general security reasons [object] capabilities are superior for
short-term object protection, and that all OS's have them in one form
or another (Unix file descriptors being a weak but valid example).
But he felt that for protecting long-lived objects (e.g. files),
capabilities don't cut it.

My feeling is that it's possible that he's right - you may need *both*
capabilities  (for everyday programming, confinement, etc.) *and* some
sort of objective view of possible and prevented operations.  But that
view needn't be ACL's; it could be, e.g., some kind of proof system
for verifying security policies.  And as we know such a system should
be built *using* capabilities. tyler

The fact that ACL's give the appearance of security is good voodoo.
The appearance of security is as important as security itself.   As
things stand now, the capability-based answer to the question "is it
protected" may be longer than the attention span of the typical ACL
user. tyler

-- JAR

e-lang mailing list