From Erights

(Difference between revisions)
Jump to: navigation, search
(Further Reading)
Line 30: Line 30:
* [http://www.skyhunter.com/marc.html|Introduction to capability based security]
* [http://www.skyhunter.com/marc.html|Introduction to capability based security]
* Norm Hardy Security Pages: ????
* Norm Hardy Security Pages: ????
* [http://www.erights.org/|E Home page]
* [http://www.erights.org/| E Home page]
* Pet Name paper
* Pet Name paper
* Ode
* Ode

Revision as of 18:07, 26 November 2006



Quick Reference Card

The Quick Reference Card can be seen here.

The Meaning Of "Authority"

E does not attempt to control computing resources such as memory and disk space, so inside the context of E, it is not considered a conveying of a controlled authority if such compute resources are allocated. Objects which are transparent and transitively immutable (i.e., deep frozen) are considered to convey no authority. Strings, integers, ConstLists, ConstMaps, and eMakers all meet these criteria (though the elements of a ConstList, and the objects made by an eMaker, may very well convey authority).

Miranda Methods

respondsTo etc.

yourself used to get reliable "broken" behavior when sending to local object

the "opt" prefix for optional, substitute for get if null returnable

Are return objects that don't meet the guard simply coerced to null? warn developer that it won't raise an exception, this could be a source of a null value

must rethrow the catch clause if using the promise coming out of when done

"bind" is now a standalone verb, no "def" needed.

in walnut,

talk about printOn(stream), and use it in examples. In security section, note that it must use guard printOn(out :TextWriter). remember that printon reveals whatever you put on out. the other way to be safe is to print the objects on the way to constructing what gets printed, as in

"" + x


`$\n` is a newline now

Further Reading

AHK: There's also the scalability issue with ACLS. My door, CD cabinet, and gun vault all need to know who to let in. Any change has to be communicated to all of them in a timely manner. This becomes hard as the number of users and control points goes up. Here's the way I describe it.

One essential difference between capbilities and ACLs is that the former relates to a role and the latter to an identity. Here's an example from real life.

Zebra Copy, a small business in Palo Alto and Cupertino, does business with HP. Some 2,000 HP employees are permitted to order work from them. The system in place uses ACLs, so Zebra Copy has a database of HP employees and what each is allowed to do. Every time an employee changes roles, HP must notify Zebra Copy, and they must update their database. HP has some 20,000 such business partners, and Zebra Copy has several hundred companies it does business with. What a nightmare. I thought the person describing this to me was joking.

If capabilities were used, life would be much simpler. Zebra Copy would give HP a capability for each access right. It would be up to HP to manage those capabilities. When someone at HP changed jobs, it would be HP's responsibility to make sure that the capability was transferred properly. Should a capability be stolen or misused, HP would be responsible until it notified Zebra Copy to revoke it. Zebra Copy would need only keep one set of capabilities for each contract; HP would not need to keep suppliers informed of personnel changes.

eDesk Example

Web Server Example

Safe Classes, Unsafe Classes, and Suppressed Methods

Personal tools
more tools