[cap-talk] What Horton cannot do? (Was: mailkey: transfer of accountability...)

[Jed Donnelley]

At 10:29 PM 6/2/2007, Karp, Alan H wrote:
>Jed wrote:
> >
> > The problem is that most IT professionals shun capability
> > systems because of criticisms like those in P-1935.
> > They shun capability systems (and thus the possibility
> > of solving their virus problems) at least partly (mostly?)
> > because they believe that capability systems cannot
> > adequately provide accountability for actions taken
> > within such systems - the "reactive" sort of 'access
> > control' that MarkM refers to in the Horton paper.
> >
>Another oft cited criticism is the difficulty in managing fine-grained
>authorities.

Right, the one so often championed by Butler Lampson, e.g., this
quote of his:

"I think, for example, that the Principle Of Least Privilege has done an
enormous amount of damage to security because what it encourages
you to do is to make everything fine grain and work out all the
dependencies very carefully and it's too complicated.  You can't keep
track of it.  You're bound to mess it up.  Even if you get it right today
it will be wrong three months from now.  Nobody will have the patience
to ever look at it again because there's just too much of it.  So I say
absolutely no to fine grain protection.  Everything should be as course
grain as possible because otherwise you won't be able to administer it.
That's a very unpopular position with most people.  I think there's a lot
of empirical evidence that tells us now that it's right."

Of course I believe the above quote is quite wrong - from my
own experience applying POLP - much like with object programming.
Still there above is his opinion that is, as you say, sadly shared
by many others.

>Of course, combining designation with authorization shows
>that criticism is a misconception.

By transforming POLP essentially into simply good object
oriented programming.  There I feel we agree.

--Jed  http://www.webstart.com/jed-signature.html