[cap-talk] Trust and the Orange Book (was: Re: the value of non-delegatable authority?)

Marc Stiegler marcs at skyhunter.com
Tue Jan 15 20:17:54 EST 2008 

Another problem with this approach is the rather fantastical
presumption that the central administration with control of access
rights, typically a person in an IT bureaucracy, has information even
as good as Alice about the appropriateness of the grant of access.

For the sake of the IT folks, so that they may have jobs defined in
such a fashion that they may perform those jobs competently, they must
be allowed to relieve themselves of the burden of making decisions for
which they are ignorant of all the crucial facts on-the-ground.

The head of a joint HP-Intel project has the knowledge to set up
access control on HP resources for Intel project members; the IT folk
do not. So the head of that project must be able to delegate access
control to someone else who has as many facts as he has (another
member of the project team) since the project head has too many other
burdens to be spending his days fiddling with access control (either
acls or obj-caps).

As Alan says, a VOC solution is left as an exercise for the reader.

--marcs

On Jan 15, 2008 2:11 PM, Karp, Alan H <alan.karp at hp.com> wrote:
> Jed wrote:
> >
> > I believe it really came (comes) back to those "loose
> > capabilities" fear, the fear of delegation as in:
> >
> It took me a long time to understand what the ACL folks mean when they talk about "losing control".  I think I do now.
>
> Take a perfectly trustworthy individual, Alice, running a perfectly trustworthy program, A, that can interact with a non-trustworthy program, B, run by an non-trustworthy person, Bob.  Alice will not direct A to delegate certain authorities to B if she knows Bob is not to be trusted with them.  That may not be an easy fact for Alice to determine.  The ACL approach requires Alice to ask an administrator, who presumably has information Alice does not, who would deny access if allowing it would violate policy.  In this case, it is better for Alice's request to fail than for the access to be allowed.
>
> The problem with this approach, as we all know, is that it makes all delegation difficult, even for Alice to delegate part of her authority to A.  The result is that A runs with all of Alice's authority, and Alice can only delegate by sharing her credentials with others, which all too frequently includes Bob.
>
> A system that enforces Voluntary Oblivious Compliance allows Alice to freely delegate authorities with the assurance that policy will not be violated.  Designing and implementing such a system is left as an exercise for the reader.
>
> ________________________
> Alan Karp
> Principal Scientist
> Virus Safe Computing Initiative
> Hewlett-Packard Laboratories
> 1501 Page Mill Road
> Palo Alto, CA 94304
> (650) 857-3967, fax (650) 857-7029
> http://www.hpl.hp.com/personal/Alan_Karp
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>

More information about the cap-talk mailing list