[cap-talk] High level dissonance

[James A. Donald]

William Pearson wrote:
 > How does an application get the privilege in the first
 > place, if not delegated by the user?

In order to be able to delegate the privilege, the user
has to use some already privileged software to do it.
Necessarily some things come with privileges built in
during boot up process.  FDISK and system restore from
backup should be among those things.

The objective is to *reduce* the amount of software that
the end user has to trust.  He still has to trust some
software.

We have to think about the *human* process whereby trust
in software is granted - presumably software needs to be
signed by human being or organization, and needs to be
declared by the signer as doing a particular  function.
If something is signed as a game, or media viewer the
installation script is not going to give it the
privilege of even asking for broad privileges.  If
software is declared to have the function of displaying
stuff, it gets easily installed automatically with no
fuss, behind the scenes, but gets no write privileges.

I envisage that when you download an operating system
distro, a package manager is part of that distro, the
package manager hands out install time privileges on the
basis of the declared nature of the program that it is
to install, and if a program to be installed requests
extraordinary privileges on installation, installation
will simply fail, will not even be possible unless the
package has a digital signature blessed by the
assemblers of the distro, or unless the end user takes
extraordinary measures.

The distro will come with a digitally signed FDISK and
with a System restore, and if the end user wants to
upgrade the FDISK or the system restore to a new package
with a compatible signature, no problem, but if he wants
to replace the FDISK to one with an unknown signature -
well, no need to make it too easy for him.

There will, however, be no fuss about replacing the jpeg
viewer.