[E-Lang] Summary for Practical Programming

Tyler Close tclose@oilspace.com
Fri, 2 Feb 2001 11:09:45 -0000

MarcS wrote:
> 7. We all agree that defense in depth is appropriate within
> the following
> constrained understanding of defense in depth: At the
> levels above the
> deepest level of infrastructure, we agree that using POLA,
> which in some
> sense is a defense in depth, and using multiple patterns of
> interaction
> (facets, revokable forwarders, sealers, etc.) to defend the
> system all make
> sense.

I think this statement does not fully reflect the distinction we were
trying to make. The statement doesn't make clear that some of us think
overlapping defenses do not make sense in the context of software
code. I would state the consensus as:

"We all agree that each authority should have its own protection,
according to the POLA. Compromising one protection should not yield
the ability to compromise others."

> We still disagree as to how many kinds of defense
> are required at the
> deepest level of infrastructure, i.e., whether just capabilities are
> sufficient or whether others are needed.

I think the only disagreement is whether "doubling up" makes sense. I
don't think anyone has argued that capababilities are insufficient for
expressing the protections. I think everyone is happy that
capabilities are sufficient for forming a "first line of defense". The
only debate is whether a "second line of defense" is useful.

It follows that everyone also agrees that the capability model is
theoretically sound. There is still a debate as to whether ACLs could
theoretically achieve this robustness.