[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"
Toby Murray
toby.murray at comlab.ox.ac.uk
Mon Sep 17 11:12:10 EDT 2007
On Mon, 2007-09-17 at 11:00 -0400, Jonathan S. Shapiro wrote:
> On Mon, 2007-09-17 at 15:35 +0100, David Hopwood wrote:
> > Toby Murray wrote:
> > > Instead, I've found that a better definition of what we might desire is
> > >
> > > "the authority of each object/subject/... should not exceed that which
> > > we trust it to wield."
> >
> > I don't think that switching from "needed to perform its function" to
> > "which it is trusted to wield" is an improvement on the definition
> > of POLA.
>
> More strongly: I think it's a significant weakening of the concept and a
> misguided statement of design goal (Toby: I'm objecting to the framing,
> not necessarily to your true goal).
I think I see where the disagreement comes from. I'm not trying to
propose a design goal. POLA might well be the strongest design goal one
can hope for. I'm trying to propose a criterion that can be used to
determine whether a system is secure from a particular stakeholder's
point of view.
I should have made that clear.
Cheers
Toby
More information about the cap-talk
mailing list