[cap-talk] Statement on the desirability of delegation
jed at nersc.gov
Tue Jan 29 14:58:51 EST 2008
On 1/27/2008 4:19 PM, David Hopwood wrote:
> Delegation of authority is not undesirable -- quite the contrary.
> It's particularly desirable to support it between processes, but it's
> also desirable to support it between people. The only valuable
> enforced restrictions on delegation are those that arise from restricting
> communication channels (which incidentally, most non-capability
> systems do a really bad job of). After the considerable amount of
> discussion on this list about the topic, I still haven't seen anything
> that would dissuade me of that.
I just thought I'd mention that the above is a good summary
of the situation as I see it also.
However, I will mention that I think there is a valuable role
for policy checking/enforcing channels (e.g. Horton).
Such a channel might be thought of as AlanK refers to as
"Voluntary Oblivious Compliance" (VOC) if other channels
are available. For example, a person I might be able to
send a capability (or proxy) access to an object to another
person either directly or through a channel that checks/enforces
some policy with regard to delegation (e.g. MLS, proprietary
data, etc.). Most people who desire to act in accordance with
societal or organizational policies would make no effort to
get around default setups to communicate through such policy
checking channels. If there are no other channels available,
then such a mechanism becomes a Mandatory Access Control policy
enforcement point. I consider it a value that the same
mechanism, policy procedures, auditing, etc. can be used
in both situations.
More information about the cap-talk