[cap-talk] "Who" seen as thorny (was: Defense of Identities, etc.)

Jonathan S. Shapiro shap at eros-os.com
Fri Dec 8 18:11:22 CST 2006 

On Fri, 2006-12-08 at 14:33 -0800, Jed at Webstart wrote:
> At 10:01 AM 12/7/2006, Karp, Alan H wrote:
> >Jonathan S. Shapiro wrote:
> >
> > > Which brings me back to my earlier statement that defining what
> > > constitutes a "who" is a very thorny problem.
> >
> >Indeed it is.  In the e-speak product "who" was defined by knowledge of
> >a private key.  In Client Utility, "who" was defined by a Protection
> >Domain.
> 
> Is there more to this "who" (identity) issue that I'm missing....

Yes, there is, and Alan is not addressing my point either.

The only reason to speak of "who" in a system is when we are trying to
attribute actions to stakeholders. Unfortunately, actions are not
performed by stakeholders. Actions are performed by programs. While a
program may run as a consequence of some command or action that I (the
human who is logged in) initiate, it does not follow that the program
acts in accordance with my intent, and it is (generally) absurd to
imagine that I (the human who is logged in) have any meaningful degree
of control over the actions of that program.

A strong argument can be made that if we are looking for a human whose
intent the program obeys, it is much more likely to be the developer
than the user. This is true for "well behaved" programs, but it very
painfully true for programs like viruses and Trojan horses.

So the problem here is that if we are going to make any meaningful
authorization or logging decisions tied to "who", we need to get all of
the relevant who's captured in some form.

Based on the general quality level of software in the wild, if the
program actually *does* do what the logged in human intended, it's
probably fair to characterize that as fortuitous accident rather than
developer intent. :-)

Part of what I'm saying is that the term "subject" is different from the
term "user" for a reason, and it often proves that when we are speaking
of "who" what we really need is subject ids rather than user ids.

In any case, this is what I was talking about. The definition of "who"
is deeply complicated because the people who speak of tracing or
authorizing "who"s generally are being very sloppy in asserting what
they are really trying to accomplish in the way of traceability. For
what they really want, tracing the logged in human isn't even CLOSE to
good enough.

Also, it should now be clear why "holders of cryptographic keys" is a
useful metric in some contexts, but does not shed light on the problem
of who is [a] who.

shap

More information about the cap-talk mailing list