[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"
Dean Tribble
tribble at e-dean.com
Mon Sep 17 23:01:26 EDT 2007
On 9/17/07, Ka-Ping Yee <cap-talk at zesty.ca> wrote:
>
> ... Users do not always
> predict the consequences of their actions correctly; there are two
> ways we can address this:
>
> 1. Change the system model to fit the mental model.
>
> 2. Change the mental model (i.e. educate users) to fit the system.
One should also add:
3. where possible, minimize the impact of a bad grant.
4. where feasible, recover and/or repair the consequences of a bad grant
after revocation
Occasional bad grants are inevitable, whether through ignorance or
misbehavior of someone who had been "trusted". Making POLA choices to
enable or simplify 3 and 4 is interesting to consider.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20070917/2b967716/attachment.html
More information about the cap-talk
mailing list