Evicting someone from a rôle

Marcs proposed a scheme involving vetted IDs. I was on another mental track and missed some details. Its in the slides. There were comments about whether rôle termination was a necessary digression. I can argue either way.

Membranes were proposed and I think that they work, but having to explain how membranes work is a problem; membranes are simpler on the outside than on the inside.

Here is a third approach. You want the rôle to persist; you want Bob to perform that rôle; upon revocation you want Bob to persist, perhaps even as a member of the organization; and you want the rôle to persist to be granted to another person. You want retain the ability, at some unanticipated future time, to deny Bob the ability to perform that rôle.

Described this way suggests that you want to create a particular revokable capability to be invoked exclusively by Bob in order to perform any necessary action in the rôle.

Thats a possibly biased description of the problem.

First a naïve solution: Give bob an old-fashioned authentication (user-name — password) which accesses a user agent (think shell account) which wields the capabilities necessary and sufficient for the rôle. This agent would, among other things, remember the provenance of the capabilities granted to this rôle by other parts of the organization. When it is time to divorce Bob from the rôle this one capability is revoked and another revokable capability is created for the next person to assume this rôle. This is ‘Waldo like’. It is clear how to sever a Waldo driver from the lab.

The insight to the following is that membranes and capability comm protocols are of the same fabric.

Another way to describe a solution and perhaps even to save some code, is to give Bob a networked capability machine using one of the remote capability protocols which relies on one shared secret between that machine and the rest of the institutional computers. When it is time to divorce Bob and rôle cause the network to forget its half of the shared secret—cut the virtual cable.

Of course Bob’s special rôle machine can be a virtual machine etc. etc..

The above is awkward and goes against a clever point made by Marcs’ slide where you needed synergy to drive the car into the garage. It is awkward for Bob to combine the authorities that come from his rôle and from other sources. Does a conflict of interest issue arise when one person holed two rôles?

Let me raise an attack scenario that we will want to consider. Bob while in the rôle, creates objects with behavior on the institution side of the membrane. That may indeed be part of his charter—to automate himself out of a job. That object will continue to behave as Bob taught it, after Bob is persona non grata. Unless the object is confined, it is likely to be able to receive instructions from Bob subsequent to the divorce. This is not good. None of the proposed solutions that involve computers, seem to solve this problem except perhaps to keep Bob from introducing code. What, however, is ‘code’? Are Java byte codes code? This is a bad place to go as we want to decentralize the ability to introduce computer behavior thru out the institution.