[E-Lang] Formal Declaration, Statements of Consensus, February 9, 2001

Marc Stiegler marcs@skyhunter.com
Fri, 9 Feb 2001 16:11:01 -0700

Statements Of Consensus as of February 9, 2001

1. We all agree that currently available ACL systems are too broken to be
serious contenders for general-purpose effective security.

2. We all agree there is at least one security relationship that
capabilities cannot create, even in theory. This is the one Ralph Hartley
identified that Mark Miller agrees with. We also agree that this one is not
practical importance. We also agree that there may be others that might be
of practical importance, though there is no agreement that others have been

3. We all agree that capabilities systems as embodied in EROS and E seem
architecturally sound enough to be serious contenders for providing
general-purpose effective security.

4. We all agree that the Principle of Least Authority (POLA) is an important
element in security design, and is indeed a sensible best-practice.

5. We all agree that capabilities inherently convey "narrow" authorities, in
the sense that they name only one object at a time (in contrast to user ids
as basis for protection, which name multiple objects at a time).

6. We all agree that explicitly designating authority at the locus of use
imposes a style of use that simultaneously tends to reduce the number of
authority misuse errors and renders them easier to locate, identify, and
repair. We agree that capability systems (via C-list indices) lend
themselves to such explicit designation. We deduce that capability systems
lend themselves to the application of POLA, though one can build non-POLA
capability systems.

7.We recognize that POLA is a part of both E and EROS as actual

8. We all agree that each authority should have its own protection,
according to the POLA. Compromising one protection should not yield the
ability to compromise others.

Disclaimer: The participants in this discussion have a wide disparity of
knowledge about different aspects of these discussions. Consequently, the
necessarily more correct way of stating this consensus is that everyone
agrees within the constraints of their knowledge: For any one aspect of
these statements of consensus, those with a weaker knowledge of that aspect
know of no fault in the statement, and are necessarily trusting those with a
stronger knowledge of that aspect to have highlighted a fault if there is
one. Equally of course, if new evidence or insights become available, people
may have a different opinion at a later date, making this document obsolete.

Participants in this discussion, alphabetical by first name, include:

Alan Karp            (alan_karp@hp.com)
Ben Laurie           (ben@algroup.co.uk)
Bill Frantz           (frantz@pwpconsult.com)
Chip Morningstar  (chip@communities.com)
Chris Hibbert        (hibbertc@pacbell.net)
Dan Bornstein     (danfuzz@milk.com)
Dan Moniz           (dnm@pobox.com)
David Wagner      (daw@mozart.cs.berkeley.edu)
Hal Finney           (hal@finney.org)
Jonathan Shapiro (shap@cs.jhu.edu)
Ka-Ping Yee        (ping@lfw.org)
Marc Stiegler       (marcs@skyhunter.com)
Mark Miller          (markm@caplet.com)
Norm Hardy         (norm@cap-lore.com)
Nikita Borisov      (nikitab@cs.berkeley.edu)
Ralph Hartley      (hartley@aic.nrl.navy.mil)
Tyler Close         (tclose@oilspace.com)