[cap-talk] SPAM-LOW: Re: The inside/outside distinction

Valerio Bellizzomi devbox at selnet.org
Thu Dec 14 16:32:47 CST 2006 

On 14/12/2006, at 11.57, Sandro Magi wrote:

>Jonathan S. Shapiro wrote:
>>> First, all these arguments are arguments, not really against
>>> capabilities, but rather arguments against POLA. It is the argument,
>>> "I'll make you grant so much excess authority that you'll be scared
into
>>> granting not enough authority."
>> 
>> Go read what I wrote again. I made two statements:
>> 
>>   1. Humans don't want to give away their passwords because doing
>>      so conveys too much authority.
>> 
>>   2. Companies have a need to convey some amount of authority THAT
>>      IS OPERATIONALLY NECESSARY, but need to do so in an environment
>>      where the employee's good sense cannot always be relied on.
>> 
>> The first statement is certainly not anti-POLA in any way.
>
>Actually, I currently see the second situation as an HCI issue, and so
>not necessarily anti-POLA either. Framing it as an access control issue
>is somewhat anti-POLA though, and this may be the source of disagreement
>on this list.
>
>> Given the way I worded the original, I can see how you misread the
>> second part. Let me clarify. I was NOT stating that giving employees
>> excessive authority provides any protection -- quite the contrary, I
>> believe that employees have much less incentive to protect their
>> companies than to protect themselves. What I was saying was just the
>> opposite: *because* employees have a lesser incentive to protect their
>> employers, they are inclined to delegate more casually, and companies
>> need a means to moderate these (often oblivious) compliance failures.
>
>Right, so your concern here is not that the employees *can* delegate,
>but that they *may* delegate inappropriately due to laziness, ignorance,
>etc. (which I agree does and will happen). If so, wouldn't it make more
>sense to keep the *ability* to delegate and share, but design the
>interface in such a way that delegation is non-obvious in the cases
>where it doesn't make sense or is more dangerous? [1]
>
>At some point, someone has to make the decision whether a delegation
>should be allowed, and if it's not the user, then the decision to
>delegate must itself be delegated to people who are categorized as "more
>trustworthy" for whatever reason.
>
>Assuming this "trustworthiness" metric is reliable, if these "higher
>powers" deem the delegation appropriate, the ability to delegate must
>still be available! This led you to the OpenCM design of delegable group
>management as access control for the "higher powers", but it doesn't
>necessarily preclude a capability implementation.
>
>I think I touched on a possible capability solution above: attempted
>delegations have a third-party man-in-the-middle which authorizes or
>denies them. This is a little less enforceable with "capabilities as
>data" if you can read your permission tokens right off the screen though.
>
>Sandro
>
>[1] The other obvious answer to laziness and/or ignorance being "find
>better employees". ;-)

I agree with the rest, but for laziness/ignorance I have another response:
Develop better training for your employees and do it appropriately :-)

val

More information about the cap-talk mailing list