Mark:

Thanks for you quick reply. I appreciate the input.

Help me out with the semantics. I *particularly* had file systems in mind when I used the word transactional. By transactional I meant consisting of many repetitive atomic operations, each one of which is entitled to or needs its own authorization decision. ACL manager controlled usage of a file system (or any of the constructs UNIX would treat as being part of the file system) was in my mind as I wrote that part.

I'm trying to convey the idea that DCE is for high performance applications where the ticket-oriented mechanisms of Kerberos is more appropriate than more-cumbersome certificate or PK-based mechanisms. The scalability (especially in the dimensions of throughput and latency) demands and the operational/business tradeoff opportunities that argue for a kerberos model as the core of DCE security will, I believe, come into play in other services as well. DCE should aim at providing services that are tuned to that model.

It seems that the word "transactional" may have become overloaded with the connotation of two-phase transactions conducted under a transaction monitor. I see that as a special case of the more general model. How can we express this better, so that the intent is clear?

(And just to make sue ther is no misunderstanding, I believe PK based security has to be blended into DCE security. But the kerberos system is still the best for transactional work.)

I hope you'll be joining us in the conference call on Thursday.

Again, thanks for the input.

- Eliot