[cap-talk] Reducing Ambient user authority in a Type Safe /Memory Safe OS.

[James A. Donald]

Ben Kloosterman wrote:
> -          The desire by admins ( and hence organizations) to allow only
> system/security admins to approve certain functions which may includes
> installing applications in some organizations.   This includes the
> centralized control of rights.

People desire what is not good for them.  What they desire is that other 
people are required to do certain tasks, and then required to seek 
permissions to accomplish those tasks - which pretty much guarantees 
that users will work to subvert security.  And since the end user has 
physical control of the box or the data, the end user will always 
succeed.  The petty bureaucrat, by maximizing his power within the 
organization, undermines the organization's security.

Observe that one of the big reason's for walmart's success is that other 
big box company purchasing managers routinely accept bribes from 
salesmen, while Walmart purchasers are notoriously honest.

Meeting admin desires is in this case meeting admin desire to undermine 
security for personal benefit.  Security mechanisms have to benefit the 
person who has physical control of the data and the box on which it 
resides, not the admin, or else they will always be bypassed.