[cap-talk] Reinterpreting POLA - "Authority Must Not Exceed Trust"

Jed Donnelley jed at nersc.gov
Thu Sep 20 16:35:14 EDT 2007 

Toby,

There has been a great deal of discussion deriving directly
or indirectly from your message below r.e. Reinterpreting
POLA.  I just went through the exercise of reading it all
again sequentially.  Having done so I'm still not sure
quite what value I can take away from the discussion.
I wonder if it might be helpful if you were to summarize
both your original point (in light of subsequent discussion)
and perhaps your understanding of the views expressed by
others on that point?

I'd like to have what amounts to a reset to try to
focus discussion of the topic of "Reinterpreting POLA -
'Authority Must Not Exceed Trust'".

On 9/17/2007 3:04 AM, Toby Murray wrote:
> Hi cap-talk,
> 
> In my work on formalising authority, I've found it useful to strengthen
> the usual notion of POLA to arrive at a more general definition of what
> it means for a system to be 'secure'.
> 
> The traditional definition of POLA says that 
> 
> "the authority of each object/subject/program/process/user/whatever
> should not exceed that needed for it to perform its function(s)."
> 
> This is useful but doesn't admit notions such as "separation of duty"
> which need to be defined separately (because they appear orthogonal to
> the above definition).
> 
> It also presumes there is some global administrator that can define the
> correct function(s) of each entity in the system.
> 
> Instead, I've found that a better definition of what we might desire is
> 
> "the authority of each object/subject/... should not exceed that which
> we trust it to wield."
> 
> In the case where "we" is a global system administrator and all entities
> are trusted to perform all of their functions, this collapses to
> traditional POLA. But it is also more general than POLA. 
> 
> It allows security to be defined separately from multiple points of
> view, for each of the stakeholders/actors in a system.
> 
> It also naturally admits separation of duty:
> 
> We might have an accounting package whose functions include writing and
> approving purchase orders, for example. A running instance of that
> package might be trusted to perform the former but not the latter (and
> vice versa) in order to prevent it from approving its own purchase
> orders. 
> 
> I've found this definition to be a useful generalisation of POLA. For
> example, under this definition excess authority is then defined as any
> authority that a subject is not trusted to have (rather than any
> authority that a subject doesn't require to perform its function(s)). 
> 
> I'd be curious to get the feelings of others on this list as to its
> utility.
> 
> Cheers
> 
> Toby
> 
> 
> 
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

More information about the cap-talk mailing list