[cap-talk] High level dissonance

[James A. Donald]

At 01:44 PM 2/19/2008, Ivan Krstic wrote:
> There are some very clever ideas in the object capability 
> paradigm,  but all told, I can't help but feel that many capability 
> "believers"  are making the same mistake I made with cryptography: 
> they're focused  on beautiful solutions to beautiful problems _in 
> the absence of  people_. 

Amen to that.

People need to be secure, we need to make the things people do secure, 
so capabilities need to be discussed primarily in the context of user 
interface design patterns whereby trusted software interprets user 
actions as permissions for less trusted software.

Users and user interfaces are curiously absent from this list's 
discussions, though all attacks are attacks on users, and all attacks 
either attack the user interface, or have as their ultimate aim 
deception of the user.

Similarly with cryptography the problem with TLS and SSL is not just 
X.509, it is that when you provide an authenticated secure channel, you 
have not in fact accomplished anything unless the users and application 
comply with the characteristics of the channel - which of course they do 
not.  Instead of providing a secure authenticated channel, you have to 
secure and authenticate what the user and application is actually doing. 
  TLS and SSL provide a secure layer - so we get attacks at the 
application layer (session fixation), at the user interface layer 
(phishing) and at the TCP layer (the great firewall of China forging TCP 
control packets to censor the fact of censorship)

Observe that the lowest level attack of them all (forged TCP control 
packets) still has the user, the user's perceptions as its target - if 
more direct methods of censorship were used this would act like a 
flashing neon sign telling the users "Here is information the government 
wants to conceal from you".

It is all about users.  The end user, and the end user's perceptions, 
need to be present in every discussion.