[E-Lang] Trust and Rules of Engagement

Marc Stiegler marcs@skyhunter.com
Tue, 2 Jan 2001 10:50:23 -0700

After much pestering from markm, I have posted an old, incomplete,
incorrect, partial draft of a paper of mine about trust and capabilities.
You can find "Trust and the Rules of Engagement" at


I posted this document because, despite its flaws, it encompasses material
which, to my knowledge, has not been put together elsewhere. It contains a
gaggle of definitions of terms which are useful when thinking about
auditable capability-secure software, and makes a number of deductions that
are useful when thinking about auditing capability secure systems. The paper
became relevant on e-lang when the term "rely" came up for describing trust
relationships. In the paper, I define the term, "at the mercy of" to mean
approximately the same thing. I actually still like "at the mercy of"
because it introduces the correct note of terror, though "rely" is good
because it is shorter. Anyway, just reading all the definitions of terms
might be useful, it might get one more quickly across discussion of terms
related to "rely" more quickly. I think the term "working trust" is useful,
and the definition of "breach" that enables pinpointing an exact source code
location is potentially powerful (though this description is barely
mentioned in passing at the end).

The original short-term goal of this paper was to create a documentation
convention which would allow a large capability-based system with stringent
security requirements (MicroCosm to be specific) to be audited for less than
the total GNP of the USA. The long term goal was to build automated tools
for auditing capability systems. By the end of the paper, the enthusiastic
reader may be able to see the first tiny glimmers of such tools.

There is at least one Ph.D. thesis to be gotten out of completing this
document, and at least one billion-dollar company to be gotten out of
building the tools that would be based on the thesis. But I'm a bit too
cranky at this point in my life to be fooling with doctoral theses, and the
billion dollar company can't be formed until tens of thousands of people
realize that they should be building/demanding auditable capability-based
systems in the first place.

Anyway, for the real enthusiast, here it is. I will not be pointing at it
from my own home page until it is in better condition...which means I may
never point to it, since I have no plan for improving it. But you can link
to it if you really want to :-)