Negotiated Access Control

List-oriented systems integrate protection of an object with the object; ticket oriented systems delegate this responsibiIity to the call hierarchy. We argue that there are situations where integration of protection with the object is more natural, but Iist-oriented systems, due to the static and declarative nature of access-Iists, are too weak for any sophisticated process-object interactions. To solve this, we superimpose procedural access control over the object - oriented capabiIity system model: objects may be associated with so-called access control procedures (ACP) that embody protection decisions. We define several protocols by which a process that wishes to access an object can negotiate with the ACP of the object to ensure that neither party´s protection requirements are violated in the interaction.