[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

Jonathan S. Shapiro shap at eros-os.com
Mon Sep 17 11:00:44 EDT 2007 

On Mon, 2007-09-17 at 15:35 +0100, David Hopwood wrote:
> Toby Murray wrote:
> > Instead, I've found that a better definition of what we might desire is
> > 
> > "the authority of each object/subject/... should not exceed that which
> > we trust it to wield."
> 
> I don't think that switching from "needed to perform its function" to
> "which it is trusted to wield" is an improvement on the definition
> of POLA.

More strongly: I think it's a significant weakening of the concept and a
misguided statement of design goal (Toby: I'm objecting to the framing,
not necessarily to your true goal).

There are two problems with this framing:

1. The trust decisions of most users are ill-informed. Bluntly, the
overwhelming majority of users are incapable of exercising good judgment
in these decisions, because they don't know enough about the
consequences of their decisions. In consequence this framing would make
POLA useless as a design principle.

2. In a well-designed system, many entities will operate just fine with
considerably less trust than I might be willing to give them. For
example, the entire security of any system rests on the correct
execution of its authentication system. It does NOT follow that I should
grant that system greater authority than it absolutely requires. Indeed,
the *reason* that I might be willing to trust it further is essentially
intertwined with the fact that, as designers, we chose NOT to extend it
such authority.

Toby: I don't have the original context on this conversation. Based on
your past postings I'm sure this statement originated from a
well-motivated place. Even if it didn't, I'm reluctant to attempt any
critique from a position of perfect ignorance. [Take a minute here to
get over your shocked surprise... :-)]

Ultimately, it is not the technology or the theory of capability systems
that is their real source of power. The real source of power is the way
in which these mechanisms and theory support, enhance, and reinforce a
discipline and idiom of structured and principled system construction.
In light of this, having strong statements of practically applicable
design principles like POLA and POLP is vitally important. We need to
refine our understanding, but not at the cost of weakening the utility
of these principles.

I know that you understand this. Given that it is important, I encourage
you to engage in some amount of meta-level presentation engineering as
you consider what terms should mean what and how to introduce new
concepts. The most active posters on this list are leading researchers
and developers, but we have readers here at many different levels, some
of whom are trying to get their heads around new ideas.


I regret that I must now crawl back into my hole to meet a proposal
deadline in five hours, and I will not be able to follow-up on this
exchange further. If I have worded something badly here, please try to
forgive me.
-- 
Jonathan S. Shapiro
Managing Director
The EROS Group, LLC
www.coyotos.org, www.eros-os.org

More information about the cap-talk mailing list