[cap-talk] Statement on the desirability of delegation
david.hopwood at industrial-designers.co.uk
Tue Jan 29 20:38:11 EST 2008
Jed Donnelley wrote:
> On 1/27/2008 4:19 PM, David Hopwood wrote:
>> Delegation of authority is not undesirable -- quite the contrary.
>> It's particularly desirable to support it between processes, but it's
>> also desirable to support it between people. The only valuable
>> enforced restrictions on delegation are those that arise from restricting
>> communication channels (which incidentally, most non-capability
>> systems do a really bad job of). After the considerable amount of
>> discussion on this list about the topic, I still haven't seen anything
>> that would dissuade me of that.
> I just thought I'd mention that the above is a good summary
> of the situation as I see it also.
> However, I will mention that I think there is a valuable role
> for policy checking/enforcing channels (e.g. Horton).
> Such a channel might be thought of as AlanK refers to as
> "Voluntary Oblivious Compliance" (VOC) if other channels
> are available. For example, a person I might be able to
> send a capability (or proxy) access to an object to another
> person either directly or through a channel that checks/enforces
> some policy with regard to delegation (e.g. MLS, proprietary
> data, etc.). Most people who desire to act in accordance with
> societal or organizational policies would make no effort to
> get around default setups to communicate through such policy
> checking channels. If there are no other channels available,
> then such a mechanism becomes a Mandatory Access Control policy
> enforcement point. I consider it a value that the same
> mechanism, policy procedures, auditing, etc. can be used
> in both situations.
I agree; note that such mechanisms work by restricting communication
However, I think a capability system would also work quite well without
any such mechanism or protocol. It is the "icing on the cake", not a
fundamental requirement. I also think that its value in knocking down
a *psychological* objection to free delegation may well be greater than
its concrete security value. This motivates keeping such mechanisms as
simple as possible; I would like to see one that is simpler than Horton if
at all feasible. (Yes, this means I should do some of the work rather
than just complaining.)
More information about the cap-talk