[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

[Ka-Ping Yee]

On Tue, 18 Sep 2007, Toby Murray wrote:
> On Tue, 2007-09-18 at 02:40 -0700, David Wagner wrote:
> > I don't see it.  Let the Buggy Mailer be as I described above.  Let the
> > Nonbuggy Mailer be similar to the Buggy Mailer, except it does not have
> > the problematic mode of operation described above.  The Buggy Mailer
> > and the Nonbuggy Mailer receive the same amount of authority (by most
> > definitions of authority that I am familiar with).  If you are willing to
> > trust your mailer with enough authority that the Nonbuggy Mailer works,
> > then you have trusted it with enough authority that the Nonbuggy Mailer
> > can violate your security goals.
>
> Aha. Perhaps you've uncovered another of my unintentionally unstated
> assumptions.
>
> I'm defining authority as "any action that can be performed or caused"
> to occur.

The difference in perspective I see here is due to differing
assumptions about what is considered an unknown variable.  Or, to put
it another way, what "free will" are you allowing these actors?

The meaning of "authority" or any sentence involving "can" depends on
what you consider fixed and variable.  To David, the Buggy Mailer's
code is a variable (authority restrictions are imposed upon it), but
to you, the code is a fixed entity, a given (the code defines its
behaviour and thus its authority).  The boundary between what you
consider given and variable is the boundary between "can" and "will".

I would say that your description is consistent, but you've chosen
to draw that boundary in a less conventional place than David has;
and I think a good way to clarify the example is to state precisely
which things are variables and which things are constants.


-- ?!ng