At <http://www.erights.org/talks/no-sep/index.html>.
[Caution: wide distribution. Please send replies only to a narrower addressee
list. Thanks.]
The Structure of Authority:
Why security is not a separable concern
by Mark S. Miller, Bill Tulloh, and Jonathan Shapiro
Common programming practice grants excess authority for the sake of
functionality; programming principles require least authority for the sake of
security. If we practice our principles, we could have both security and
functionality. Treating security as a separate concern has not succeeded in
bridging the gap between principle and practice, because it operates without
knowledge of what constitutes least authority. Only when requests are made --
whether by humans acting through a user interface, or by one object invoking
another -- can we determine how much authority is adequate. Without this
knowledge, we must provide programs with enough authority to do anything they
*might* be requested to do.
We examine the practice of least authority at four major layers of abstraction
-- from humans in an organization down to individual objects within a
programming language. We explain the special role of object-capability
languages -- such as E or the proposed Oz-E -- in supporting practical least
authority.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM