Split Capabilities: Making Capabilities Scale

[Ben Laurie]

"Karp, Alan" wrote:
> 
> Ahh, so that's the difference.  I was assuming that, as a holder of the
> decrement capability, I see an object that can only be decremented.  In this
> view, any increment is a side effect outside the object model.  You are
> saying that a holder of any of the foreseen facets is automatically aware of
> all the other foreseen facets, or at least those with visible effects.
> Thus, any action appearing in a foreseen facet is within the object model.
> 
> This point raises an interesting question.  Knowing that an operation is
> possible makes a certain class of attacks possible.  Hence, we want to
> institute a policy of least information.

Umm ... security that relies on people not knowing things is generally
bad - your threat model should generally assume that the attacker is in
full possession of the facts about the system (after all, he wrote it,
didn't he?).

>  On the other hand, it's not nice
> to surprise your programmers, so we also want a policy of least
> astonishment.  These policies are often in conflict, and care is needed in
> deciding which one to honor.

Nope. The latter is the only one worth considering.

Cheers,

Ben.

--
http://www.apache-ssl.org/ben.html

Coming to ApacheCon Europe 2000? http://apachecon.com/