At http://www.erights.org/talks/no-sep/index.html.
[Caution: wide distribution. Please send replies only to a narrower addressee list. Thanks.]
The Structure of Authority: Why security is not a separable concern
by Mark S. Miller, Bill Tulloh, and Jonathan Shapiro
Common programming practice grants excess authority for the sake of functionality; programming principles require least authority for the sake of security. If we practice our principles, we could have both security and functionality. Treating security as a separate concern has not succeeded in bridging the gap between principle and practice, because it operates without knowledge of what constitutes least authority. Only when requests are made -- whether by humans acting through a user interface, or by one object invoking another -- can we determine how much authority is adequate. Without this knowledge, we must provide programs with enough authority to do anything they *might* be requested to do.
We examine the practice of least authority at four major layers of abstraction -- from humans in an organization down to individual objects within a programming language. We explain the special role of object-capability languages -- such as E or the proposed Oz-E -- in supporting practical least authority.
squeak-e@lists.squeakfoundation.org