[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

[David Wagner]

Toby Murray writes:
>Given some means to calculate the authority A_o of each object, o, in a
>system, and given the authority we're willing to trust each object to
>wield, A_o', the system is insecure if for some o, A_o \superset A_o'

"the authority we're willing to trust each object to wield" is not an
objective criteria.  It cannot be measured.  It is not a yardstick that
a software developer can use: it is not realistically measurable.  Users
make trust decisions for all sorts of peculiar and subjective reasons.
My sister might trust any software that comes in professional-looking
packaging, my brother might trust anything at all, my mother might trust
whatever her friends use, and my father might not trust any software.
There is no one answer, and the answers may not be rational, and they
are probably not a very useful basis for making engineering decisions.

The "we" in "we're willing to trust" is ambiguous.  To quote Tonto,
who's we, kemo sabe?

Do you know anyone who sits down and decides how much they're willing to
trust each object in a piece of complex software before deciding whether
to install that software?  Users don't do that.  That'd be ridiculous.
If you ask a user how much they're willing to trust each object, the
most likely answer you'll get is probably "Huh?".

Finally: Authority is just one aspect of security, it is not the
whole forest.  I don't think that trying to define security in terms of
authority is going to work.

Analyzing how much authority is granted to each object may well be a
useful thing to do.  That doesn't mean it is the definition of what it
means for a system to be secure, though.  Buckling my seat belt when I
get in the car is a good idea, but that doesn't make it the definition
of safety for cars.