[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

Toby Murray toby.murray at comlab.ox.ac.uk
Tue Sep 18 05:19:46 EDT 2007 

On Mon, 2007-09-17 at 16:38 -0500, Ka-Ping Yee wrote:
> On Mon, 17 Sep 2007, Toby Murray wrote:
> > On Mon, 2007-09-17 at 18:18 +0100, David Hopwood wrote:
> > > There are at least two problems with this:
> > >
> > > 1. This criterion is based on a stakeholder being able to make an accurate
> > >    trust assessment for every component that they depend on. It assumes that
> > >    each stakeholder has sufficient information and competence to make this
> > >    assessment. But they very often don't.
> >
> > I don't follow. If a stakeholder has insufficient information, surely
> > the only correct decision is to not trust the subsystem and, hence, be
> > willing for it to wield almost zero authority. That's the point of my
> > definition.
> 
> I think it the ideas from the "Actor-Ability Model" might be helpful in
> this discussion.  (http://www.cs.berkeley.edu/~pingster/sec/uid/#state)

I'm glad you brought this up, Ping. I too had noticed the parallels
between my definition and your definition of security from you ICICS
paper.

That paper takes Spafford and Garfinkel's definition of security:

"A computer is secure if you can depend on it and its software to behave
as you expect"

and frames it in terms of the actor ability model, in which it becomes

"A system is secure from a given user's perspective if the set of
actions that each actor can do are bounded by what the user believes it
can do.".

The parallel with my definition becomes clear when one realises that it
is not unreasonable to expect most users to believe that the job of a
security system is to prevent actors from being able to
perform (or cause) actions that the user does not trust them
to perform. Thus, the user expects that if the security system is
functioning correctly, the only actions that each actor can perform are
those that the user trusts them to perform. Hence, it appears that
an actor acquiring authority in excess of trust from the user's point of
view, is equivalent to the system being insecure by Ping's definition.

More information about the cap-talk mailing list