• Messages sorted by: [ date ][ thread ][ subject ][ author ] [ Next ]
• [ Previous ] In reply to: Mark S. Miller Next in thread: Mark S. Miller

> I think we have a deep difference of assumptions and (dare I use the term)
> paradigms here. For us, the most important lesson about the coherence of
> the capability programming paradigm is the Confused Deputy problem...

I agree that this one is real important, but I would personally rather see this discussion framed in terms of principles:

least privilege
explicit denotation of authority
it's either enforceable or it's not protection etc.

I view the "confused deputy" as one anecdote in a large space that illustrates why these principles matter.

We should try to enumerate this principles list. I have tried on several occasions with limited success. I suspect there are differences between the E list and the EROS/KeyKOS list, and that these would be interesting to explore together.

shap

[ Next ]
• [ Previous ] In reply to: Mark S. Miller Next in thread: Mark S. Miller