[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

[David Wagner]

Toby Murray writes:
>Indeed. In either case, however, the user would be unhappy were the
>mailer to have the (behaviour and) ability to insert "not" into the
>user's message or otherwise corrupt its meaning. When analysing a model
>of the mailer, what I care about, then, is whether the behaviour
>represented by the model allows the mailer to acquire authority that
>exceeds that which the user is willing to trust it with -- i.e. whether
>in the model (which is assumed to capture all possible behaviours of the
>relevant mailer) the mailer can perform or cause the user's message to
>be corrupted.

Got it.  Now I understand where you are going.  It makes sense.

Your final (nicely worded) paragraph illustrates a confusion of my own.
You point out the distinction between ability and behavior.  The ability
of the mailer is independent of its code and is determined by things like
what capabilities it is provided with, what restrictions the underlying
platform or OS enforce, and the behavior of other entities that it
interacts with.  The behavior of the mailer depends on the code of the
mailer as well as on its ability.  When we talk about the authority that
the mailer has, do we mean to take its behavior into account, or only
its ability?  I am used to thinking about the authority of an entity
only in terms of that entity's ability, not its behavior.