[Cst-1b] CST99 paper4: OS Functions
Phebe Mann
pm258@hermes.cam.ac.uk
Fri, 12 May 2000 22:40:33 +0100 (BST)
On Fri, 12 May 2000, Nathan Dimmock wrote:
> "M.Y.W.Y.B." wrote:
> >
> > CST99.4
> >
> > 7 OS Functions
> > Last part ([...T milliseconds...]): I have no clue at all :( Does the
> > question refer to any particular section of the notes???
>
> This is sort of Capabilities v ACLs. If you have ACLs then you have the
> problem that they are stored with the file and therefore distributed and
> duplicated. Therefore if T is small and network file access times slow,
> you might not be able to update all the ACLs in the time limit.
>
> In contrast, Capabilities are stored with the user. The problem is, how
> do you revoke a capability once it's been issued? One strategy is to
> have them expire after time T. There are advantages and disadvantages
> of this approach - if T is too small you're going to be refreshing the
> capability list of each subject very often - excess network(*) traffic,
> lots of work for granting authority, etc. If T is too big then it's
> going to take a long time for the new access control to be enforced.
>
I think the capability + timeout scheme [which is often used in practice]
does not work at all if T is zero (or very close to it). Hence if
T were zero, you would need to use either an ACL or a password capability
scheme, and manage the replication by using e.g. broadcast or multicast
to ensure permissions changes reach every replica.
Phebe