[cap-talk] POLP v. POLA

[David Wagner]

Charles Landau writes:
>At 8:40 PM -0800 10/30/05, David Wagner wrote:
>>Tyler Close writes:
>>>You delegate authority A to service Bob. You later determine that
>>>authority A was used in an abusive way. It is irrelevant to you
>>>whether Bob is a self-sufficient service, or whether it is implemented
>>>through further delegation to service Carol. You are still going to
>>>blame Bob.
>>
>>Could this be a distinction between systems for cooperation between
>>humans and systems for cooperation between software?  If "I" and "Bob"
>>are humans, then yup, what you write makes sense.  In that context, it is
>>useful to know who to blame, because then I can take that into account
>>in my future interactions with Bob.  But if "I" and "Bob" are pieces of
>>software from a single system, then I'm having trouble seeing what good
>>it does to be able to blame Bob.  In that case, the system is insecure,
>>and blaming one line of code vs another line of code seems a little odd.
>
>Your code delegates authority A to an object whose code was written 
>and installed by Bob. If it is misused, you will blame Bob and adjust 
>your code to take that into account in its future interations with 
>Bob's object.

That's one possibility.  Another possibility is that the entire
application -- all of its objects -- are written by a single entity (Bob).
Then if the application gets hacked, I already know who to blame: I hardly
need to ask the access control system.  But access control systems are
still useful even when the entire system/application is written by one
person.  That's what makes me think that access control systems are about
more than just accountability, when we're talking about code, not people.