[cap-talk] "Discretionary" vs. "mandatory" access control
fsp at info.ucl.ac.be
Wed Jul 20 19:09:02 EDT 2005
On 20 Jul 2005, at 23:23, Ka-Ping Yee wrote:
> If you mean to define "discretionary" as "decided only by behaviour of
> the non-human authority holder", which is what i think is meant when
> people talk about "mandatory" and "discretionary" access control in
> ACL systems, then capability systems are not discretionary either.
I did not mean that, and you are right.
Though I only considered non-humans subjects, I did not restrict the
definition of "discretionary" to the behavior of authority holders.
I agree that your definition is what is often meant with discretionary
access control, but Alan's DoD-derived definitions are different and
they are also used often.
Anyway, "mandatory" is usually not meant to be the complement of your
definition for "discretionary". Otherwise, it would also be a mandatory
policy when authority propagation is for instance only: "decided by the
behavior of the non-human authority-requester".
I prefer a definition that makes every policy either mandatory or
discretionary. Alan's DoD-derived definitions have this
discretionary: only local behavior is involved.
mandatory: something else (non-local) is involved (too).
In object-capability systems, subject behavior is restricted by local
references: rather than being disallowed to refer to other (non-local)
subjects, subjects are just unable to do that. Therefor no non-local
mechanism for policy enforcement is involved (and none is needed).
> The ability to transfer a capability is NOT decided only by the
> holder, because the authority holder can be confined.
true, it is also decided by the behavior of the authority requester (no
capability can be imposed upon a subject). And also, what I assume you
mean by "confined": the local behavior (of both subjects) is always
restricted by their local references.
> On the other hand, if "authority holder" includes unconfinable subjects
> such as humans, then all access control is discretionary.
Researcher Software Security
Université catholique de Louvain
fsp at info.ucl.ac.be
More information about the cap-talk