[cap-talk] The inside/outside distinction

[Jonathan S. Shapiro]

Several days ago, I made a distinction about collusion within the system
vs. collusion outside the system. May of you objected to this
distinction very strongly, and suggested that a system which makes this
distinction is stupid, useless, or at best misguided.

ALL systems NECESSARILY must make this distinction.

In all of the systems we have discussed here, there exists an
authentication boundary. This is the place where the (human) user
establishes that they are entitled to make use of certain resources.
More precisely: the human user establishes (by logging in) an
association with some "root" capability from which the rest of their
state can be reached.

In principle, there is no way to prevent users from sharing their
passwords. In consequence, there is no way (in any absolute sense) to
prevent conspiracy or collusion.

HOWEVER

The cost of sharing a password is high. It gives me access to your text
files, but also to other information that has value to you whose
disclosure you may not desire.

Claim: the sole reason that we do not give away our passwords (RMS
excepted) has to do with the value (cost) of the things the passwords
guard.

That is: the sole impediment to delegation is cost.

This is equally true for corporate data. In the corporate case is that
we have an operational need to disclose information to certain parties.
The problem is that we want to disclose this data in such a way that
unauthorized delegation has a cost such that the resulting user behavior
is consistent with the value of the data.

In this view, the purpose of access control is to steer behavior, not to
protect objects.

I'm not sure I buy it, but I thought I would kick the horse again to see
if it was dead.

Why is this view not sound?

-- 
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100