[cap-talk] Capability begginer questions

[David Chizmadia (JHU)]

James A. Donald wrote:
> Some of the opinions on this list are in inappropriately
> confident in stating facts about a technology that is as
> yet largely nonexistent, and whose past implementations
> have failed.

    <Sigh> ...and some of the (minority) opinions are just as
inappropriately confident in asserting that band-aids on entrenched
technologies that continue to fail despite heroic previous efforts
will magically improve those technologies...

> The great insight for creating secure systems is that
> user actions *should* be authorizations, as many user
> actions as possible 

    I'll agree that there is a germ of *one* great insight...

    I'll also interpret the sentence as "...as many user actions as
possible *should* be authorizations..." since it is both sensible
and a true statement. Ping and others have done and are continuing
to do excellent work in the realm of more closely matching human
mental models that are represented in GUIs to the expected
authorizations passed to the underlying software actors.

- that more trusted modules should
> continually harvest from the user's actions information
> about what less trusted modules should be permitted to
> do.

    There is strong evidence from IDS/IPS research that this
approach has definite flaws and dangers. The most obvious and
significant one is that a poorly informed or trained user - or more
insidiously, a malicious insider - will continually perform
inappropriate actions that are soon interpreted as normal and
appropriate and quietly embodied as policy by the UI. In some
limited environments, this may be acceptable. For most environments
where security or privacy are a real concern, however, it makes far
more sense for the UI designer to concentrate on embedding an
authorization model in the UI that is isomorphic to the mental model
of the UI semantics that is internalized by most users (as
determined by research performed during the UI development).

-DMC