[cap-talk] Failure isolation

[Stiegler, Marc D]

> Basically, to what extent are humans destined to not work
> well with POLAs? If humans are by nature not going to be
> perfect wrt security, what do the security implementations
> have to do to work with that fact rather than become useless
> / ineffectual due to it? Of course there are limits to what
> any system can offer and if the users don't follow the spirit
> that's just too bad (candy bars for passwords).

Security systems have to be deeply intuitive, i.e., meet a natural model of how human behavior produces results in keeping with human expectation. It's all about the user interface/user experience.

Acl's are shallowly intuitive. It is intuitive to point at a resource and say, "allow alice to read it". But I find surprising numbers of people are surprised to realize that Alice can automate proxying for Carol, thus granting Carol authority. It is similarly surprising to learn, with all widely deployed acls, that if you give alice read authority, she cannot delegate read authority (using acls) to someone else (to use the acl, alice must have acl-editing authority, which confers to her de facto editing authority).

Capabilities as metaphorical keys produce a more deeply intuitive model. No one is surprised if Bob gives Alice a car key and then, lo! Alice gives the car key to Carol.

The car key is still not a perfect metaphor for ocaps. But there are lots of opportunities for making security more intuitive, particularly when using ocaps, that haven't been tried yet. Neither the human being nor the computer security machinery is today the greatest vulnerability. The greatest vulunerability is the place where they meet, which is a chink in the armor the size of a galaxy.

--marcs