[E-Lang] Summary for Practical Programming

Marc Stiegler marcs@skyhunter.com
Fri, 2 Feb 2001 10:39:59 -0700


Does everyone indeed agree with Tyler's proposed statements of agreement
here? It would pleasantly surprise me if they did. Again, a quick "no" is
sufficient for my immediate purpose.

I am going to chew on the brief discussions of my summary and put out a new
proposed summary, but it will not be today. Probably Monday. So far I am
pleasantly surprised by how close the first draft got to something people
could agree with (and David, of course I am not surprised that you disagree
with the conclusions I had at the end, I wasn't really expecting agreement
with that part :-)


--marcs

----- Original Message -----
From: Tyler Close <tclose@oilspace.com>
To: Marc Stiegler <marcs@skyhunter.com>
Cc: E Language Discussions <e-lang@eros.cis.upenn.edu>
Sent: Friday, February 02, 2001 4:09 AM
Subject: RE: [E-Lang] Summary for Practical Programming


> MarcS wrote:
> > 7. We all agree that defense in depth is appropriate within
> > the following
> > constrained understanding of defense in depth: At the
> > levels above the
> > deepest level of infrastructure, we agree that using POLA,
> > which in some
> > sense is a defense in depth, and using multiple patterns of
> > interaction
> > (facets, revokable forwarders, sealers, etc.) to defend the
> > system all make
> > sense.
>
> I think this statement does not fully reflect the distinction we were
> trying to make. The statement doesn't make clear that some of us think
> overlapping defenses do not make sense in the context of software
> code. I would state the consensus as:
>
> "We all agree that each authority should have its own protection,
> according to the POLA. Compromising one protection should not yield
> the ability to compromise others."
>
> > We still disagree as to how many kinds of defense
> > are required at the
> > deepest level of infrastructure, i.e., whether just capabilities are
> > sufficient or whether others are needed.
>
> I think the only disagreement is whether "doubling up" makes sense. I
> don't think anyone has argued that capababilities are insufficient for
> expressing the protections. I think everyone is happy that
> capabilities are sufficient for forming a "first line of defense". The
> only debate is whether a "second line of defense" is useful.
>
> It follows that everyone also agrees that the capability model is
> theoretically sound. There is still a debate as to whether ACLs could
> theoretically achieve this robustness.
>
> Tyler
>