We have to be careful about our terms
5 views
Skip to first unread message
Alan Karp
Aug 27, 2025, 1:46:01 PM (13 days ago) Aug 27
to <friam@googlegroups.com>
I just watched a webinar on identity management for AI agents in which delegation was discussed. Unfortunately for us, they were talking about delegating identities. My advice when talking to security professionals is to refer to "permission delegation" or "rights delegation" instead of just "delegation."
They also talked about enforcing least privilege on the AI agents, but it is clear they meant at the granularity of the user authentication. That means that when talking to security professionals we can't assume they know what granularity we're talking about.
--------------
Alan Karp
Mark S. Miller
Aug 27, 2025, 10:34:18 PM (13 days ago) Aug 27
to fr...@googlegroups.com
We do permission delegation when we can and we want to delegate unattenuated rights. Otherwise we do authority delegation. Horton delegates only authority (with responsibility). This is a crucial distinction we need to educate security professionals about.
Without the distinction, people will interpret both POLA and "least privilege" as least permission, and we'll be talking past each as badly as we were before Myths Demolished, Paradigm Regained, Robust Composition, caretakers, proxies, membranes, chained attenuated delegation, confinement, and Horton.
Yes, I know that almost no one is actually familiar with any of these. But we want to seed the debate with the distinctions that enable them to clear up these old confusions.
Reasoning about access control without this distinction is like reasoning about thermodynamics without distinguishing heat and temperature.
(Btw, does anyone have non-paywalled access to https://www.semanticscholar.org/paper/When-heat-and-temperature-were-one-Wiser-Carey/b73f008270ab5b3788c5119439a0b6b72d81de4a ?)
--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z31r2%2BNUJfXY6%3D_LJQ0bER%2BW5CgUKGnY%2B_iFYLzxQkwDw%40mail.gmail.com.
Cheers,
--MarkM
--MarkM
Reply all
Reply to author
Forward
0 new messages