zooko: MarkM:
 zooko: Thank you for working on this document. I think it is very important at this stage in history that this paper be written. Bravo!
     markm: Thanks!
 zooko: I believe that ACLs can also implement the same text editor POLA story, but only by using the superuser/administrator account to create a new principal,
     daw: It depends what you mean by ACLs. Some ACL systems can readily support the same POLA story without requiring the involvement of the superuser.
     daw: There's a key principle here:
         ping: Well, sort of.
             tribble: Slashdot today has a discussion of Ping's Secure Interaction paper as item #2 on the front page. Here's a direct link to the discussion.
         ping: Programs ought to be able to invoke operations in a way that conveys the least necessary privilege.
             frantz: I agree fully, but this ability is only part of the required mechanism. Programs also need to be able to bring their own capabilities to the party.
     daw: For instance, standard Unix systems have only limited support for this principle. A process can be running as root, or as a non-root user.
         cg: Linux has done a tiny step in the correct direction with kernel capabilities.
             ping: It should be emphasized that these are not "capabilities" at all.
                 shap: Actually, yes.
                 cg: You're right, I should have chosen my wording more carefully.
         cg: However, this is not POLA. That's be the capability to bind exactly to port 80. My appserver can bind to any low port and fool e.g.
             ping: That's a granularity issue.
     daw: My conclusion is that there are two different goals one might shoot for in a security-aware programming environment: good support for
         marcs: Since we have entered into a long discussion here in which capability as authority bundled with designation is crucial,
         marcs: For me, the merit of designation-with-authority became clear only when I started writing user interfaces for secure systems.
             daw: I agree. UI's seem like a great concrete example of how designation-with-authority helps.
 zooko: This is a purely technical difference: whether or not you can dynamically create a new protection domain without requiring superuser privileges.
     markm: This is a beautiful point, but as stated applies only to actual ACL systems.
     markm: ACL systems don't necessarily require root authority to add accounts or to modify the ACLs, even though currently deployed ACL systems do require this.
         shap: At present, in OpenCM, you actually do need to be a member of the admin group to create a new account,
     markm: I know Jonathan has explained to me why he chose to use the "Club" ACL design rather than a capability one for OpenCM,
         shap: 1. The application demanded revocation in a way whose book-keeping was much easier this way.
 zooko: I think that a lot of scientists out there would benefit from a closer look at the topics in category 1,
     markm: I like the idea of making this separation, but I don't understand why 2.a and 2.b are listed as engineering differences rather than technical ones.
 zooko: Of course, the reason I care so strongly about it lies in category 3.
     marcs: A point I have started making since the advent of Palladium is that checking in with the central HQ about the good standing of the author does not solve
         shap: Then please stop making this point in this way, as this has nothing whatsoever to do with Palladium.
         shap: Your point is sound and worth making, but it has nothing to do with Palladium and it will become discredited as people figure that out.
             marcs: While I immediately cede the point wrt the way I stated it above, it still seems to me that the overall point does have something to do with Palladium.
                 shap: Yes and no, but mostly no.
                 ben: Kinda.
         ben: >>>in with the central HQ about the good standing of the author does not
         ben: >>>all the problems...
     markm: I like the engineering and political points a lot, but they don't belong in this paper.
     marcs: -- Microsoft IE has had a bug in it that allows outsiders to take full control of the system if the user goes to the attacker's web page; this bug is
         shap: Where is this documented?
             marcs: Listing on BugTraq http://online.securityfocus.com/archive/1/298748
 zooko: [footnote1] Once you imagine extending an ACL system to allow such a thing,
     markm: I doubt it. As you incrementally fix the problems of an ACL system within the ACL paradigm, it's hard for me to see how you get farther then SPKI.
 zooko: Just now when looking at it again, I finally understood an inconsistent sentence -- the first sentence of section 6.2.
     zooko: ^-- "formal"
     zooko: Regards,
 zooko: [footnote3] Hello! I'm footnote 3 and I'm way down here.
     markm: I've changed it from "Access and Authorization" to the active "Accessing and Authorizing".