[cap-talk] POLP v. POLA
daw at cs.berkeley.edu
Mon Oct 31 13:59:43 EST 2005
Charles Landau writes:
>At 8:40 PM -0800 10/30/05, David Wagner wrote:
>>Tyler Close writes:
>>>You delegate authority A to service Bob. You later determine that
>>>authority A was used in an abusive way. It is irrelevant to you
>>>whether Bob is a self-sufficient service, or whether it is implemented
>>>through further delegation to service Carol. You are still going to
>>Could this be a distinction between systems for cooperation between
>>humans and systems for cooperation between software? If "I" and "Bob"
>>are humans, then yup, what you write makes sense. In that context, it is
>>useful to know who to blame, because then I can take that into account
>>in my future interactions with Bob. But if "I" and "Bob" are pieces of
>>software from a single system, then I'm having trouble seeing what good
>>it does to be able to blame Bob. In that case, the system is insecure,
>>and blaming one line of code vs another line of code seems a little odd.
>Your code delegates authority A to an object whose code was written
>and installed by Bob. If it is misused, you will blame Bob and adjust
>your code to take that into account in its future interations with
That's one possibility. Another possibility is that the entire
application -- all of its objects -- are written by a single entity (Bob).
Then if the application gets hacked, I already know who to blame: I hardly
need to ask the access control system. But access control systems are
still useful even when the entire system/application is written by one
person. That's what makes me think that access control systems are about
more than just accountability, when we're talking about code, not people.
More information about the cap-talk