[cap-talk] gauntlet - one way IPC considered useless, practical MLS?

[David Wagner]

Jed writes:
>The simple security property was enforced and programs/people had to be
>explicit about declassifications (the * property).

By writing "programs/people", I'm afraid you have failed to grasp
the purpose and motivation underlying all the work on MLS systems.
The basis of MLS is that you trust people, but don't trust programs.
Thus while it might be ok to allow explicit declassifications requested
by people, people to explicitly declassify, it definitely would not be ok
(according to the problem statement that MLS systems was trying to solve)
to let programs perform declassifications on their own, whether explicit
or otherwise.

If you're going to trust programs to declassify data, then you don't
have a MLS system, and the Bell-Lapadula stuff is irrelevant.