[cap-talk] In Defense of Identities
Jonathan S. Shapiro
shap at eros-os.com
Tue Dec 5 10:17:45 CST 2006
On Tue, 2006-12-05 at 09:23 -0600, Karp, Alan H wrote:
> Jonathan makes some excellent points in his essay. (It's more than a
> note, isn't it.) However, I disagree with his recommendation to make
> human conspiracy a nuisance. If you raise the bar too high, then people
> simply share their passwords.
Umm. That isn't quite what I was saying, and I think we agree.
The problem is exactly what you say: the external barrier to human
conspiracy is low, so engineering a higher barrier into the
computational system doesn't really make sense.
Once we acknowledge that this is a discussion about relative costs, it
may be the case that the technical deficiencies of identity-based
authorization are real but irrelevant. The nuisance factor of ACLs may
actually be at just about the right level.
> If Alice needs Trent to add Bob to some list before she
> can delegate to Bob, then Trent becomes a bottleneck. Often, Trent has
> no basis for knowing whether or not Alice's request makes sense, so he
> merely does what she tells him to do. Involving Trent is a waste of
> time and effort.
Even if Trent acts as you say, the fact that Trent must authorize
becomes auditable -- which may be the entire value obtained from the
sequence.
I confess that I am disturbed by my own direction here. I am, in effect,
arguing that sophisticated conspiracy is unavoidable but rare,
unsophisticated conspiracy is common but traceable, and that the right
level-set may therefore be to provide mechanisms that guard against
unsophisticated conspiracy and oblivious error.
--
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100
More information about the cap-talk
mailing list