Summary of ACL discussion and proposal

I think that we've been mostly talking about 3 things, which are related but
which it might be better to tease apart and try to consider separately, and
which I'll try to summarize.

1. Principal IDs should be more than user ID; in particular, they should be
able to include location from where the access came.
2. The specification of an "accessor" in an ACE should be opaque, system
specific things (lets call them "OIDs" for short), and new functions are
needed to convert between OIDs and principal IDs.
3. The specification of which principals an ACE grants rights to should be
more flexible and powerful than just a single principal ID (or OID); lets
call it a "principal specification" after Howard's suggestion. I.e,
conceptually, there is a function
	bool IsMatchingPrincipal(principal-spec, principal-ID)
which, given a principal ID and a principal specifier, tells whether the
principal matches it.

In order to enable us to flush out further issues, I would make the
following proposal:
1. I will make the spec agnostic on the subject of issue #1. Actually, it
already is, but I'll make it clear that it is.
2. I will make the spec 99% agnostic on the subject of issue #3. I.e., in
the spec for an ACE, I'll make it refer to "principal specifier" instead of
"principal ID"; but _for now_ the only form of principal specifier will be a
simple principal ID. This will be isolated to one place, where we can
upgrade it if/when we come to concensus on changing it. But at least it will
be a separable discussion.
3. Table issue #2 until there is a requirements specification for it.

Comments?

Paul

Received on Friday, 24 October 1997 14:22:06 UTC