[cap-talk] What's "Discretionary Security" (was: Another "core" principle, capability communication)

[Jed Donnelley]

At 08:47 AM 1/2/2007, Karp, Alan H wrote:
>Jed wrote:
> >
> > I despair of any resolution, but I'll soldier on a bit with the
> > above example/terminology.  You seem to suggest in the above that
> > controls over communication qualify as mandatory.  Some subject
> > had to set up the communication controls (e.g. established the
> > MLS labels, set up firewalls, not supplied capabilities, whatever
> > you imagine communication blocking to be).  For that subject
> > (or those subjects) this control is discretionary.  It could be
> > set up that way or not.  It is for those trying to exercise a
> > permission that they don't have that the control is "mandatory."
> >
>The difference is that the controlling party may not have access to the
>resource, which means that it may not be able to grant access.  It can
>only allow the message to reach the service, which can then allow or
>deny access at its discretion.  So, allowing the message to go through
>is at the discretion of the controlling party, but the access to the
>resource is not.

The way I would describe the above is that two permissions are required
for resource access, permission to communicate and permission to access
the resource.  The control for these permissions may reside with separate
subjects.  For all the subjects involved the control is discretionary
(clearly as a controlling subject must control it) and the access that's
controlled is mandatory (clearly as the controlled subject is being
controlled by it).

I still can't make sense of the "mandatory/discretionary" distinction.

--Jed  http://www.webstart.com/jed-signature.html