[Squeak-e] Sagan security model

Fri Mar 28 11:25:44 CET 2003

[for want of a better place I post this here]

With OmniBase finally available under Squeak (/me pats: self on:
shoulder), I've started work on the content management system (and more)
that will, hopefully, run my cdegroot.com website some time this
century. For now, there's some marginal information on
http://swiki.squeakfoundation.org/sea/66 - it's still too much
vapourware to start a website for.

Anyway, if you read the design note on
http://swiki.squeakfoundation.org/sea/75, you will notice that I'm
planning to make Sagan completely free of ACL's. And as I don't want to
make the mistake of slapping security on as an afterthought, I'd like to
sollicit any ideas before commencing work on this layer.

The basic idea I have is that you are always known to the system as a
user - where most users will all start out sharing the same 'anonymous'
user, with a sort of 'copy-on-write' mechanism creating a private set of
capabilities as soon as the user gets new capabilities. The capabilities
are kept server-side, the user can access them by authenticating (by
whatever means - probably I'll start out with a cleartext password on an
unsecured connection ;-)). Capabilities are persisted, of course, in
OmniBase. 

Ideally(?), there would be a mesh of capabilities between the m users
and the n objects to protect. However, I fear that this m*n number may
be a tad unmanagable for, say, 1000 users and 10,000 protectable
objects. 

So, the first thing I'm looking for is ways to lower this count, maybe
by grouping objects in some way and handing out a single capability to
them, etcetera. Questions to be answered: can this be done without
impairing either security or user-friendliness? If yes, what is a good
basis for this grouping?

The second issue, more down-to-earth, is how to implement capabilities.
On an object with n methods, you can theoretically hand out 

  n
 --
 \  (n)
 /  (k)
 --
 k=1

 different capabilities ("\[\sum_{k=1}^{n} \left( \begin{array}{c}n \\ k
\end{array} \right)\]" if you're into LaTeX). That's a tad high to
resolve with static classes. So some sort of dynamic wrapper must be
made to represent capabilities, and it must be lightweight and space
efficient, because Sagan is going to store lots of them.

I had a third issue, but an incoming phone call popped that off the
stack. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lnx-12.ams-2.theinternetone.net/pipermail/squeak-e/attachments/20030328/d3f58ff5/attachment.bin