[cap-talk] Capabilities - the rub, an account

Karp, Alan H alan.karp at hp.com
Sat Nov 25 22:01:51 CST 2006

Rob J Meijer wrote:
>      If you can get the issue of accountability and incident response
> into the users way of thinking (what should not be that hard an
> abstraction to get used to), you could be reasonably sure 
> that the user
> "will not" pass rights unexplicitly.
Unexplained or inadvertant passing of capabilities is not the only
issue.  How is a user to know whether or not policy permits a particular
capability to be passed?  Since that user could always proxy, any such
mechanism must be Voluntary.  However, requiring every one to know all
the rules all the time is asking too much.  Hence, any mechanism should
allow users to be Oblivious of the rules.  Of course, the bottom line is
Compliance with policy.  Voluntary Oblivious Compliance.

I believe that the goal of having sysadmins control changes of
permissions is to achieve VOC.  It may work, but it's a clumsy tool.
It's so clumsy that people find workarounds, such as sharing passwords,
that are far worse than the problems it solves.  

Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029

More information about the cap-talk mailing list