[cap-talk] High level dissonance (was: Re: What sparked interest in capabilities)
zooko at zooko.com
Fri Feb 22 16:54:05 EST 2008
On Feb 22, 2008, at 11:45 AM, Rob Meijer wrote:
> Does this inversion of the privilege ownership and delegation make any
> sense to you? To me it does. I feel that making the user concept
> subject to POLA as the programs would be a good thing. Doing so IMO
> actually seems to make POLA simpler to implement than assigning the
> special high privilege role to the user.
I think you might be onto a good idea here. This mirrors what normal
people do in real life -- they never directly access the storage used
by their apps except occasionally when debugging, moving to a new
machine or a new app, recovering from disaster, etc.. Most of them
wouldn't know how to locate that storage if they wanted to.
I think you are right that a natural user interface would reflect, as
you said in your message that "under normal circumstances", users
never fiddle with that stuff.
This leaves open the question of how to handle abnormal
circumstances, two of which Ivan Krstic raised in his follow-ups. We
would want the "abnormal circumstances" access control to be general
(i.e, the same user interface is used to access the storage of all of
your apps -- the app doesn't have the ability to change the user
interface with which you can access its storage), and to be as safe
as possible against phishing.
Merely by moving it from the realm of normal circumstances to the
realm of abnormal, we have already made it safer against phishing.
More information about the cap-talk