[cap-talk] The Limits of POLA's Utility - Social Engineering

Wed Jun 7 17:36:56 EDT 2006

Toby Murray:
> I take the implied point that Bob might not "deserve" helping in this 
> instance. That said, it's interesting to look at the historical 
> precursors to POLA and where they were motivated from. I've read some of 
> Nick Szabo's stuff that draws parallels between eg. the Separation of 
> Powers and POLA. 

I take POLA and separation of powers to be two distinct but related ideas:

* POLA says to delegate the least power (i.e. create the least vulnerability 
to abuse) as is necessary to accomplish a task.  This is related to the 
"necessary and proper" clause and the non-delegation doctrine in 
constitutional law, to "need to know" in spy agencies, etc.

* Separation of powers (a.k.a. separation of duties) says that, if it is 
necessary to delegate a large amount of power (i.e., if it is necessary to
create a large vulnerability, or "trusted third party"), break the power up 
and delegate separate pieces of it to separate agents in such a way that the 
cooperation of all the agents is required to complete the task -- in 
other words, so that collusion of all the agents is required to exploit 
the vulnerability.

Both involve minimizing the amount of power delegated to any particular
agent. Both assume wisdom on the part of the designer, in deciding how
much power is needed and how much vulnerability is created, which I don't
think is always justified.  This is why I have elsewhere described other
methods of distributing power that don't involve agency or delegation.

BTW, depending on the design, a crucial distinction between capability
security as discussed by many here and traditional ACL security: 
does all vulnerability start with "root" until some designer, such as
a system administrator, breaks it up into pieces by delegation, or does 
vulnerability not exist at all until the user creates it?  At least 
some of the discussion here at least hints at the latter.  This issue
is either orthogonal to the ACL vs. capability distinction or it is an
unheralded distinction between the two.  In any case, I think it is
a crucial distinction to make -- a kind of Copernican change in 
world-view.

> Surely, these are arguments along the 
> lines of "The system must protect users against their own [bad] nature, 
> for the good of all".

I'd say the idea is to protect other people from a user's bad nature (or 
even just from his negligence).  This might or might not entail protecting 
the user from his own bad nature.   For example, arguably people should 
be forced to use capability security so that their machines cannot so
easily be taken over and used to attack other machines.  This might 
be accomplished, for example, by making such users legally liable for damages
caused by attackers using their machine, even if they didn't know about 
the vulnerability or the breach.

All of the above must be reconciled with the general propositions that we 
are all more productive if knowledge is distributed (this quite conflicts 
with "need to know," for example) and all happier when we are not 
restricted from doing as we like, up to harming others.  Since reconciliation
of these factors in the design of a system requires uncommon wisdom, and 
sometimes wisdom approaching omniscience, on the part of the designer,
we should often distribute power in ways besides delegation: for example
by having the right to make other persons vulnerable be a property right
revocable only upon abuse (along with good definitions for what constitutes
abuse).  This point of view, common in the law, seems to be alien to
almost every computer security scheme I've come across (including 
capability security), probably since up until widespread use of the
Internet security needs have been dominated by the internal needs of
organizations where principle-agent relationships and delegation prevailed.  

Nick Szabo
http://szabo.best.vwh.net
http://unenumerated.blogspot.com