[cap-talk] Rooted graph bad for POLA ? ( search capability )
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Mon Sep 29 07:07:25 CDT 2008
At Mon, 29 Sep 2008 06:35:36 +0200 (CEST),
"Rob Meijer" <capibara at xs4all.nl> wrote:
> * The 'least authority' graphs that have a single 'root' are a only
> subset of all least authority graphs. Most graphs with a single root
> could potentialy be refactored to a rootless graph that adheres to POLA
> in a much stronger way.
I understand the POLA principle like this: A protection domain should
only have as much authority as it needs. The tacit assumption here is
that we can define what protection domains and needs are valid, in
other words: are aligned with the legitimate interests of the
stakeholders. There is no question that the need of a virus is bigger
than the authority we want to give it, yet we are not violating the
POLA principle by denying the virus this authority, because the
interests of the virus author are not considered to be legitimate.
But many other scenarios are much harder to decide.
This means if a service, like a global search across all documents, or
a garbage collector, or a forensic tool, or a consumer protection
measure, requires the authority to access all objects in the system,
then granting such access is not a violation of the POLA principle,
but its faithful and correct implementation.
So, I don't think your claim is stated correctly. Interpreting the
spirit of it, you rather seem to make a claim about the validity of
certain stake holder interests. The actual question is if there are
stakeholders with legitimate interest in the super-root. Your claim
is that this is never the case.
But this is a decidedly political question, and the answer changes
depending on which stakeholder you ask.
But to make progress on this matter, it would first be necessary to
define the scope of the problem. For example, it is not even clear to
me what your universe of objects is. Is it a single node computer, a
local network, the internet? I think that the bigger your universe
is, the more likely it is that your claim is correct, but for
universes with a small scope, like the personal computer on my desk, I
think that your claim is wrong.
Thanks,
Marcus
More information about the cap-talk
mailing list