[cap-talk] Another "core" principle

[Rob J Meijer]

> I propose the following as a core principal:
>
>   3. We must not accept any design pattern for authority management
>      whose use cannot be managed by human beings in the real world.
>
> I'm not sure my concern is valid, but I'm concerned about the membrane
> pattern. If the consequence of causally dependent capabilities (which is
> what membranes build) is that nobody ever dares to revoke a membrane,
> then there is absolutely no point introducing the membranes in the first
> place.
>
> If my concern proves to be valid, then the membrane pattern should be
> rejected -- even if we can make it work from a technical perspective.
>
> shap

The problem you are touching is I think strongly related with the lack of
incident response awareness in system design. If you design your systems
for 'proportional response' this means that you should have subsystems
and subsystem interconnection designed in such a way that they dont fall
subject to cascaded failure in the case where incident response dictates
an interconnected subsystem to be disabled/removed/disconnected.
What you are sugesting sounds like an other excuse for not designing
subsystems to be tollerant to external failures.

I feel (as I've stated many times on the list) that incident response is
a subject that is completely missing in cap lit, but that absolutely
requires attention. I feel that membranes would be valuable for IR, as
would
the pubkey/seckey traceable delegations discussed lately. A lot of work is
however needed on the subject imho. In any case, I feel membranes to be
part of the solution, not of the problem.

Rob