[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

[David Wagner]

Toby Murray writes:
>People make rational trust decisions all of the time.

1. I'd be more inclined to believe in a model of Rational Ignorance:
people aren't stupid or irrational, but it isn't worth their time to
perform the kind of analysis to make the kind of trust decisions you
want them to make, and so they rationally refrain from deciding, or
decide based on grounds that might appear irrational on the surface.

2. I don't believe there is a single upper bound on the amount of trust
users are willing to provide.  We have overwhelming evidence that users
are often willing to accept whatever vulnerability is necessary (e.g.,
extend whatever trust is necessary) to get their work done.  There's a
reason why voters use Microsoft Word today even though it doesn't come
even remotely close to satisfying POLA: they need to get their work done.
Therefore I dispute the claim that there is any useful boundary between
"the level of trust a user is willing to extend" vs "the level of trust
they are not willing to extend".  Users' everyday behavior makes such
a claim look rather dubious to me.

I understand it would be nice if such a clearcut line existed, but in
practice I don't think it does.

>No it might not be sound. However, I expect that a system containing
>excess authority should be considered insecure.

Systems containing excess authority are not necessarily insecure.
They may be harder to reason about or less resilient to unanticipated bugs
or riskier.  One can build a secure system that doesn't follow POLA --
though it's probably harder to ensure its security than when building
one that does follow POLA.