[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"
Jed Donnelley
capability at webstart.com
Tue Sep 18 04:28:53 EDT 2007
At 08:01 PM 9/17/2007, Dean Tribble wrote:
>On 9/17/07, Ka-Ping Yee <<mailto:cap-talk at zesty.ca>cap-talk at zesty.ca> wrote:
>... Users do not always
>predict the consequences of their actions correctly; there are two
>ways we can address this:
>
> 1. Change the system model to fit the mental model.
>
> 2. Change the mental model ( i.e. educate users) to fit the system.
>
>
>One should also add:
>
>3. where possible, minimize the impact of a bad grant.
>
>4. where feasible, recover and/or repair the consequences of a bad
>grant after revocation
>
>Occasional bad grants are inevitable, whether through ignorance or
>misbehavior of someone who had been "trusted". Making POLA choices
>to enable or simplify 3 and 4 is interesting to consider.
I believe mechanisms that support revocation in an understandable way
(e.g. the Horton identity based mechanism) can also help in this area
(#3 and #4).
--Jed http://www.webstart.com/jed-signature.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20070918/c1de071c/attachment.html
More information about the cap-talk
mailing list