[cap-talk] MLS gone bad - now capabilities? (was: NCSC TCSEC)

[Jed at Webstart]

At 05:01 AM 11/5/2006, Bill Tulloh wrote:

>He claimed the main problem was that there was no market for MLS
>systems (operating systems, databases, applications) -- "absolutely
>none, not even in the military." This was because they were too hard
>to use and they broke off-the-shelf applications. He gives a
>conservative estimate of the cost of this blunder of between $4-9
>billion from 1980-1996.
>
>He also asks why should we care? His answer: it largely drained
>security funding for about 15 years, and led to a massive R&D
>distraction. Since there was no market, there was no market
>discipline, and the wrong R&D bets went unpunished.

Interesting point.  I pretty much agree.  However, with regard to:

>It seems to me that part of what it did was distract R&D away from
>capability-based systems.

I don't believe that even now if one discounts MLS there is any
"market" for object/capability systems.  Sure, everybody agrees
that POLA would be nice/helpful, BUT (and its a big BUT):

1.  How do you manage access control in an object/capability
system (see my recent "Capabilities - the rub" message) -
audit, remove, see, etc. and

2.  Can you implement a capability system that's practical and
get it marketed?  (standards for capabilities, interoperability,
etc., etc.).

I believe these are not light issues.  If the object/capability
paradigm had a strong and together case for delivering
on the above (which I argue it doesn't) then I think it would
be a legitimate contender for at least research dollars.

--Jed http://www.webstart.com/jed/