zooko: MarkM: |
zooko: Thank you for working on this document. I think it is very important at this stage in history that this paper be written. Bravo! |
markm: Thanks! |
zooko: I believe that ACLs can also implement the same text editor POLA story, but only by using the superuser/administrator account to create a new principal, |
daw: It depends what you mean by ACLs. Some ACL systems can readily support the same POLA story without requiring the involvement of the superuser. |
daw: There's a key principle here: |
ping: Well, sort of. |
tribble: Slashdot today has a discussion of Ping's Secure Interaction paper as item #2 on the front page. Here's a direct link to the discussion. |
ping: Programs ought to be able to invoke operations in a way that conveys the least necessary privilege. |
frantz: I agree fully, but this ability is only part of the required mechanism. Programs also need to be able to bring their own capabilities to the party. |
daw: For instance, standard Unix systems have only limited support for this principle. A process can be running as root, or as a non-root user. |
cg: Linux has done a tiny step in the correct direction with kernel capabilities. |
ping: It should be emphasized that these are not "capabilities" at all. |
shap: Actually, yes. |
cg: You're right, I should have chosen my wording more carefully. |
cg: However, this is not POLA. That's be the capability to bind exactly to port 80. My appserver can bind to any low port and fool e.g. |
ping: That's a granularity issue. |
daw: My conclusion is that there are two different goals one might shoot for in a security-aware programming environment: good support for |
marcs: Since we have entered into a long discussion here in which capability as authority bundled with designation is crucial, |
marcs: For me, the merit of designation-with-authority became clear only when I started writing user interfaces for secure systems. |
daw: I agree. UI's seem like a great concrete example of how designation-with-authority helps. |
zooko: This is a purely technical difference: whether or not you can dynamically create a new protection domain without requiring superuser privileges. |
markm: This is a beautiful point, but as stated applies only to actual ACL systems. |
markm: ACL systems don't necessarily require root authority to add accounts or to modify the ACLs, even though currently deployed ACL systems do require this. |
shap: At present, in OpenCM, you actually do need to be a member of the admin group to create a new account, |
markm: I know Jonathan has explained to me why he chose to use the "Club" ACL design rather than a capability one for OpenCM, |
shap: 1. The application demanded revocation in a way whose book-keeping was much easier this way. |
zooko: I think that a lot of scientists out there would benefit from a closer look at the topics in category 1, |
markm: I like the idea of making this separation, but I don't understand why 2.a and 2.b are listed as engineering differences rather than technical ones. |
zooko: Of course, the reason I care so strongly about it lies in category 3. |
marcs: A point I have started making since the advent of Palladium is that checking in with the central HQ about the good standing of the author does not solve |
shap: Then please stop making this point in this way, as this has nothing whatsoever to do with Palladium. |
shap: Your point is sound and worth making, but it has nothing to do with Palladium and it will become discredited as people figure that out. |
marcs: While I immediately cede the point wrt the way I stated it above, it still seems to me that the overall point does have something to do with Palladium. |
shap: Yes and no, but mostly no. |
ben: Kinda. |
ben: >>>in with the central HQ about the good standing of the author does not |
ben: >>>all the problems... |
markm: I like the engineering and political points a lot, but they don't belong in this paper. |
marcs: -- Microsoft IE has had a bug in it that allows outsiders to take full control of the system if the user goes to the attacker's web page; this bug is |
shap: Where is this documented? |
marcs: Listing on BugTraq http://online.securityfocus.com/archive/1/298748 |
zooko: [footnote1] Once you imagine extending an ACL system to allow such a thing, |
markm: I doubt it. As you incrementally fix the problems of an ACL system within the ACL paradigm, it's hard for me to see how you get farther then SPKI. |
zooko: Just now when looking at it again, I finally understood an inconsistent sentence -- the first sentence of section 6.2. |
zooko: ^-- "formal" |
zooko: Regards, |
zooko: [footnote3] Hello! I'm footnote 3 and I'm way down here. |
markm: I've changed it from "Access and Authorization" to the active "Accessing and Authorizing". |