[cap-talk] Trust and the Orange Book (was: Re: the value of non-delegatable authority?)

[Karp, Alan H]

Jed wrote:
>
> I believe it really came (comes) back to those "loose
> capabilities" fear, the fear of delegation as in:
>
It took me a long time to understand what the ACL folks mean when they talk about "losing control".  I think I do now.

Take a perfectly trustworthy individual, Alice, running a perfectly trustworthy program, A, that can interact with a non-trustworthy program, B, run by an non-trustworthy person, Bob.  Alice will not direct A to delegate certain authorities to B if she knows Bob is not to be trusted with them.  That may not be an easy fact for Alice to determine.  The ACL approach requires Alice to ask an administrator, who presumably has information Alice does not, who would deny access if allowing it would violate policy.  In this case, it is better for Alice's request to fail than for the access to be allowed.

The problem with this approach, as we all know, is that it makes all delegation difficult, even for Alice to delegate part of her authority to A.  The result is that A runs with all of Alice's authority, and Alice can only delegate by sharing her credentials with others, which all too frequently includes Bob.

A system that enforces Voluntary Oblivious Compliance allows Alice to freely delegate authorities with the assurance that policy will not be violated.  Designing and implementing such a system is left as an exercise for the reader.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp