[cap-talk] A better reference for the "capabilities propagate too easily" argument

[Toby Murray]

On Wed, 2007-08-01 at 20:58 -0700, Mark Miller wrote:
> On 8/1/07, Toby Murray <toby.murray at comlab.ox.ac.uk> wrote:
> > On Wed, 2007-08-01 at 08:58 -0700, Mark Miller wrote:
> > > Again, I have no idea what you or anyone else (except Alan) means when
> > > they say "discretionary" or "mandatory".
> >
> > Just for reference, (I believe this tallies with Jonathan's view as
> > well, based on previous discussions here with him) from my
> > point-of-view, the distinction  between a mandatory and discretionary
> > control is always decided from the perspective of the subjects involved.
> > If a particular subject, S, has some say in the functioning of the
> > control, then it's discretionary (from S's point of view). Otherwise its
> > mandatory (from S's point of view).
> 
> I accept that this definition is meaningful and internally consistent.
> However, it differs so completely from historical usage as to be worse
> than useless.

I would submit that S&S's definition is not necessarily any better
understood than the one I presented above, which has been indepenently
arrived at by Shap, Alan and others. The mere fact that multiple parties
have independently arrived at the same definition tends to suggest that
it might be more useful than the myriad of other definitions that are
used for these terms.

I'd argue that most security people don't have a clear understanding of
what these terms mean to them anyway. Being able to popularise a clear
definition that is understandable and appicable by many would be a
useful thing. particularly if it displaced older less useful
definitions.

I agree that the S&S definition has the advantage that it distinguishes
capabilities from ACLs. But I think there are better ways to phrase the
superiority of caps over ACLs than via this definition.