[cap-talk] Capability begginer questions
Jed Donnelley
jed at nersc.gov
Wed Oct 3 18:56:54 EDT 2007
On 10/3/2007 1:23 PM, David Chizmadia (JHU) wrote:
> James A. Donald wrote:
>> The great insight for creating secure systems is that
>> user actions *should* be authorizations, as many user
>> actions as possible - that more trusted modules should
>> continually harvest from the user's actions information
>> about what less trusted modules should be permitted to
>> do. This concept is the key to dealing with the storm
>> of attacks that trouble us today. Capabilities are a
>> technology that assists in architecting systems that do
>> this.
>
> There is strong evidence from IDS/IPS research that this
> approach has definite flaws and dangers. The most obvious and
> significant one is that a poorly informed or trained user - or more
> insidiously, a malicious insider - will continually perform
> inappropriate actions that are soon interpreted as normal and
> appropriate and quietly embodied as policy by the UI.
Actions that may unknowingly and inappropriately grant
undesired authority. I believe it is important to
distinguish those user actions which are authorizations
from those which are not.
It seems to me that any effort to "harvest" all
(or even only some not explicitly designated user
actions) for authorizations is that it would create
a seriously conflicted and confusing situation with
regard to how users view their actions. For example,
I don't want to have to worry that drawing a line
from one project icon to another in a project
management program might inadvertently cause some
potentially unwanted authorization to happen.
I'm particularly interested to hear how others
who focus more on user interface issues (e.g.
Ping?) regard this idea of aggressively 'harvest'ing
user actions for authorizations.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list