[cap-talk] Rooted graph bad for POLA ? ( search capability )

Rob Meijer capibara at xs4all.nl
Thu Oct 2 06:41:06 CDT 2008 

On Mon, September 29, 2008 14:07, Marcus Brinkmann wrote:
> At Mon, 29 Sep 2008 06:35:36 +0200 (CEST),
> "Rob Meijer" <capibara at xs4all.nl> wrote:
>> *  The 'least authority' graphs that have a single 'root' are a only
>>    subset of all least authority graphs. Most graphs with a single root
>>    could potentialy be refactored to a rootless graph that adheres to
>> POLA
>>    in a much stronger way.
>
..
>
> So, I don't think your claim is stated correctly.  Interpreting the
> spirit of it, you rather seem to make a claim about the validity of
> certain stake holder interests.  The actual question is if there are
> stakeholders with legitimate interest in the super-root.  Your claim
> is that this is never the case.

Not as strong as that. My hypotheses is that in a large subset of cases
where a domain requires a super-root, refactoring of interaction
decomposition of the services provided by the domain would result in the
same if not a higher level of service without the need to use or
artificially introduce such a super-root.

My view on POLA is that if a two alternative systems can be constructed
using different decomposition and different interaction patterns providing
the same level of service, but one of the alternatives can avoid more
excess  authority for domains, than the second alternative regardless of
the fact that each domain from the point of view of its functionality
against the existing graph only has legitimate needs for its authority, as
a whole does not adhere to POLA even if all individual domains do.

Combining these two, if my hypothesis is valid, I would thus say that
possibly the existence of, but certainly the introduction of a super-root
should be considered a warning sign that the composed system as a whole
might not adhere to POLA even if all its components do, and refactoring 
should be considered.

> But to make progress on this matter, it would first be necessary to
> define the scope of the problem.  For example, it is not even clear to
> me what your universe of objects is.  Is it a single node computer, a
> local network, the internet?  I think that the bigger your universe
> is, the more likely it is that your claim is correct, but for
> universes with a small scope, like the personal computer on my desk, I
> think that your claim is wrong.

I disagree. I  feel it both applies for 'user' as stakeholder within the
internet as universe, as for (persistent?) process in a desktop as
universe. For example your mail client should be able to use an index
service to search a mail in the mailboxes it has permission to read.
If index domain has created its single index from your super root, than
the index holds a large abundance of read capabilities that it should
never delegate to the mail client, and a small set where disclosing
capabilities would not transfer any authority at the process level. Unless
you introduce split caps complexity, the index becomes a powerful deputy
and a bug in the Index could leak authority. I am not sure how to refactor
an indexing solution appropriately, but I think there may be possibilities
where not even the full unattenuated transitive authority of the mail
client by the index as hop could give it undue access to the mail client.

Rob

More information about the cap-talk mailing list