[cap-talk] POLP v. POLA
David Wagner
daw at cs.berkeley.edu
Sun Oct 30 18:59:18 EST 2005
Toby Murray writes:
>I wonder whether there is some consensus out there, about whether people
>intuitively understand "least privilege" as "least authority" or "least
>permission".
I think the notion of Least Privilege is somewhat vague and ambiguous,
and I doubt there's any consensus on precise details. (It's still a
very useful concept nonetheless.)
Saltzer and Schroeder weren't omniscient. They don't have any special
dispensation or knowledge that the rest of us lack. The way forward,
in my view, isn't to try to parse their words with exacting precision to
try to determine whether they were referring to permission or authority.
They couldn't possibly have anticipated how this rough concept would
apply to all sorts of systems they didn't imagine.
Instead, I think the most useful way to proceed is to understand the
*arguments* behind *why* the Principle of Least Privilege is useful
and appropriate. Then, when we encounter a new context that wasn't
previously anticipated, we can see which of those same arguments apply
to the new context, and whether there are new considerations. In the
case of capability systems and the question of permission vs authority,
I think the arguments for POLP also suggest that it is useful to limit
authority to the minimum needed. So I view POLA as a particular
instance/elaboration of the broad POLP principle, specialized to
capability systems and mindful of the permission vs authority distinction.
More information about the cap-talk
mailing list