[cap-talk] "Discretionary" vs. "mandatory" access control

Fred Spiessens fsp at info.ucl.ac.be
Wed Jul 20 19:09:02 EDT 2005

Hi Ka-Ping,

On 20 Jul 2005, at 23:23, Ka-Ping Yee wrote:

> If you mean to define "discretionary" as "decided only by behaviour of
> the non-human authority holder", which is what i think is meant when
> people talk about "mandatory" and "discretionary" access control in
> ACL systems, then capability systems are not discretionary either.

I did not mean that, and you are right.
Though I only considered non-humans subjects, I did not restrict the 
definition of "discretionary" to the behavior of authority holders.
I agree that your definition is what is often meant with discretionary 
access control, but Alan's DoD-derived definitions are different and 
they are also used often.
Anyway, "mandatory" is usually not meant to be the complement of your 
definition for "discretionary". Otherwise, it would also be a mandatory 
policy when authority propagation is for instance only: "decided by the 
behavior of the non-human authority-requester".
I prefer a definition that makes every policy either mandatory or 
discretionary. Alan's DoD-derived definitions have this 
discretionary: only local behavior is involved.
mandatory: something else (non-local) is involved (too).

In object-capability systems, subject behavior is restricted by local 
references: rather than being disallowed to refer to other (non-local) 
subjects, subjects are just unable to do that.  Therefor no non-local 
mechanism for policy enforcement is involved (and none is needed).

> The ability to transfer a capability is NOT decided only by the 
> authority
> holder, because the authority holder can be confined.

true, it is also decided by the behavior of the authority requester (no 
capability can be imposed upon a subject). And also, what I assume you 
mean by "confined": the local behavior (of both subjects) is always 
restricted by their local references.

> On the other hand, if "authority holder" includes unconfinable subjects
> such as humans, then all access control is discretionary.




Fred Spiessens
Researcher Software Security
Université catholique de Louvain
fsp at info.ucl.ac.be

More information about the cap-talk mailing list