ACLs (and RBAC, and most capability security models) are limited for a reason -- they allow you to prove that certain security properties will hold for your application. Without a solution to the halting problem, no such assertion can be made about security mechanisms expressed using Turing-complete languages.
That's not to say that ACLs are the last word -- they were defined and analyzed in depth in the 60s and 70s, and work in security theory marches on. Models such as information flow analysis, object capabilities, etc., allow for much richer policy definition while still making stronger guarantees about the security of the finished system.
While I actually like most of what Zed has to say in this talk, I think he's doing a grave disservice to the security theory community by dismissing out of hand everything they've done in the last 40 years.
Yes that provability is big - but I guess is his point is that with SOX and other legal requirements - that provability and applicability of ACLs is now completely out of the window, so its time to stop hammering the square peg into the round hole.
Laywers and the law don't care about provable security models and neither do the gold owners who want the system. Zed is absolutely right, build what they want even if it isn't provably secure. Test it sufficiently, cover all the cases you can, and move on.
Something doesn't have to be provable to work, the same applies to type systems. Lot's of things that aren't provable and would be forbidden by a static type system will happily chug along just fine in a dynamic system that does what you tell it.
When it's law vs theory, law wins. Unlike theory, the law doesn't have to make sense but you sure as hell better be able to show that you attempted to comply with it.
That's not to say that ACLs are the last word -- they were defined and analyzed in depth in the 60s and 70s, and work in security theory marches on. Models such as information flow analysis, object capabilities, etc., allow for much richer policy definition while still making stronger guarantees about the security of the finished system.
While I actually like most of what Zed has to say in this talk, I think he's doing a grave disservice to the security theory community by dismissing out of hand everything they've done in the last 40 years.