[cap-talk] the value of non-delegatable authority?

[David Hopwood]

Toby Murray wrote:
> On Mon, 2008-01-14 at 01:35 -0800, Jed Donnelley wrote:
> 
>> a person with
>> a clearance does have the authority to delegate the permission
>> to read any documents that they can themselves read to anybody
>> with whom they can communicate - however, they have a
>> responsibility (duty) not to do so.  That is, they are trusted
>> not to do so.
>>
>> Does the above phrasing make sense to you?  If not, what if
>> I substituted the word "power" for "authority" in the above?
> 
> Yes
> 
> A security-cleared person can delegate the right to read a particular
> classified document to someone else by simply passing them the document,
> or making a copy of it and passing them the copy. They have
> the /authority/ to do so, because the rules of the game don't prevent it
> from occurring. But as you say, they have a /responsibility/ not to,
> i.e. they are trusted not to perform this action that they have the
> authority to perform.
> 
> However, we're talking about different authorities here.
> 
> While a cleared individual can delegate the permission to read a
> particular document, they cannot delegate their clearance to another
> individual.

Yes they can, by acting as a proxy.

If human Alice has access to a document, she can always give human
Bob access to it. If we don't want that, we have to trust Alice not
to do so. Alternatively, we have to lock Alice in a room while she
reads the document, and then kill her or wipe her memory afterwards --
which is impractical even for defence employees.

This does not imply that the program Alice uses to read the document
should be able to pass it on to any of Bob's programs. Alice's reader
program can be confined; Alice cannot. That is, we *can* do the
equivalent of locking the reader program in a room, and killing it
or wiping its memory afterwards.

Programs often have bugs that make them exploitable. Humans may have
psychological flaws and may be susceptible to coercion, but the means
of detecting or preventing such human flaws are quite different from
detecting or preventing a bug.

The defence community seems to have a blind spot when it comes to
defining security policies: they fail to distinguish between humans
and software agents when it is necessary to do so. That is, they
believe that the same policy should be applied at both levels (I think
they may even believe that this is essential in order for a policy to
be enforcible).

The ss- and *-properties are not really what the defence community
needs in a computer security policy, whether they know it or not.
What they need is a generalization of a "need to know" policy to
authorities other than knowledge -- i.e. a "need to do" policy.
In other words, they need POLA. Capability systems could provide that,
but only by embracing delegation at the program-to-program or
object-to-object level.

-- 
David Hopwood