Why so few mentions of capability based access control when that is the Single Right Way to go about it?
ACLs are not only broken by design but they also don’t allow for delegation and they become overly complicated real fast. ACLs became the status quo only because people who had no idea about security design thought why not just wing security because what could go wrong, right?
I started a thread before about a particular implementation of capabilities called “macaroons” but it didn’t get much attention. They have real nice properties, such as delegation while restricting access.
For example, you as the owner of your photo collection have a token that gives you full access to them. You can take this token and append a restrictions to it like “read only”, “until next Sunday”, and “to app with signature F393…AA01” (let’s say apps generate a key for themselves upon install), then give it to your app. When the network sees this token, it applies the restrictions one by one: checks the base token, checks if the request is for reading, checks if the time limit is valid, and checks if it’s signed by the right app. Iff everything matches, the data is returned.
Here’s a video that explains this better:
