First draft of use cases document

[Alan Karp]

I don't know what I plan to do with it, but I still want to catch any errors.

(I'm sending a PDF because the Pages version is too large.)

--------------
Alan Karp

[Raoul Duke]

$0.02 I very much appreciate this document, I feel like it explains things in a gradual way I easily relate to. 

[Raoul Duke]

My brain takes umbrage at the phrasing "the only way" in Use Case 1 because there are forms of added complexity that could "solve" the problem, such as sending a copy and then having to merge edits back into the original. Even though i know at the beginning you said added complexity based solutions are out of scope. :-)

[Raoul Duke]

(I know i am a cranky minority squeaky wheel opinion holder here, but I do think claims - how i read them anyhow - that least authority systems are magic wands doesn't hold up. All programs expand until they can read email is nowadays all programs expand until they support a plugin architecture with very lame security/privacy controls. Not saying it is a bad north star vs. ACLs, just saying it feels a tad snake oily or a little like hubris or marketing hype. Shrug.)

[Alan Karp]

Thanks.  I'll try to reword it.

--------------
Alan Karp

On Thu, Aug 14, 2025 at 10:12 PM Raoul Duke <rao...@gmail.com> wrote:

My brain takes umbrage at the phrasing "the only way" in Use Case 1 because there are forms of added complexity that could "solve" the problem, such as sending a copy and then having to merge edits back into the original. Even though i know at the beginning you said added complexity based solutions are out of scope. :-)

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CAJ7XQb55nP_5b5ycDXPZ_EA0X_5LfdZT73MTrDu_s-nKd%3D4mOA%40mail.gmail.com.

[Dale Schumacher]

In your "Cross Jurisdiction Delegation" use-case, you introduce a resource "U". However, you've been consistently using "U" and "Q" to label Update and Query permissions. Perhaps it would be clearer to label the new resource "W" instead?

--

You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z23562DosV2TCh8XnY_XC_z2Viq7_3dbqpr7wW4BGCZ-w%40mail.gmail.com.

[Alan Karp]

I'm not as pessimistic as you.  There is indeed mission creep that weakens Least Privilege at the whole program level, but LP can be applied at the module or even object level.  Those are much harder to change.

--------------
Alan Karp

On Thu, Aug 14, 2025 at 10:17 PM Raoul Duke <rao...@gmail.com> wrote:

(I know i am a cranky minority squeaky wheel opinion holder here, but I do think claims - how i read them anyhow - that least authority systems are magic wands doesn't hold up. All programs expand until they can read email is nowadays all programs expand until they support a plugin architecture with very lame security/privacy controls. Not saying it is a bad north star vs. ACLs, just saying it feels a tad snake oily or a little like hubris or marketing hype. Shrug.)

--

You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/friam/CAJ7XQb7_D-%2B4hQEr9qrssRRdCWKcFcjbZgE6S9qW50ygdgpJwg%40mail.gmail.com.

[Alan Karp]

Good point.  I changed it to "the easiest way".

--------------
Alan Karp

On Thu, Aug 14, 2025 at 10:12 PM Raoul Duke <rao...@gmail.com> wrote:

My brain takes umbrage at the phrasing "the only way" in Use Case 1 because there are forms of added complexity that could "solve" the problem, such as sending a copy and then having to merge edits back into the original. Even though i know at the beginning you said added complexity based solutions are out of scope. :-)

--

You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/friam/CAJ7XQb55nP_5b5ycDXPZ_EA0X_5LfdZT73MTrDu_s-nKd%3D4mOA%40mail.gmail.com.

[Raoul Duke]

"However, in many role- or policy-based systems, Dave will be able to
use either permission but not both at the same time. With capabilities
Dave can mix and match the capabilities he holds however he likes."

I am obviously not a security person but I have heard enough "oops
there is a side channel we didn't consider" type problems in the
computing world that I wonder if in some situations this ability to
combine could turn out to be a bad thing.

[Alan Karp]

There is actually a name for when you don't want 2 resources to be used together, Chinese Wall.  It arises in specialized situations, such as a consulting company working for Coke and Pepsi.  Any employee with access to Coke resources must be forbidden from accessing Pepsi resources.  Policy Based Access Control handles the Chinese Wall, but most other schemes require additional mechanisms.  

--------------
Alan Karp

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/friam/CAJ7XQb4y9-fvuoRtoYfBb_FQXsZ0Uu9VicYXjOuXNmJo7e_E7w%40mail.gmail.com.

[Mark S. Miller]

Nice document!

Hover over link in first footnote broken. It omits the "HPL..." part

To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z15Z%2BhLOXjGnCe3G5_9GVdPcTT%2BW0wP_tfX%3D4n2D_tEng%40mail.gmail.com.

--

  Cheers,
  --MarkM

[Alan Karp]

Nice catch.  I have no idea why that happened.  If you copy the text, it works.  If you click on it, it doesn't.  My solution is to put the URL on its own line.  Now clicking works.

--------------
Alan Karp

To view this discussion visit https://groups.google.com/d/msgid/friam/CAK5yZYhPW8vGONx65GME2HtDzNF8HbTZ%2Ba0rCQcvWO4ZAkdNQA%40mail.gmail.com.

[Mark S. Miller]

Where do I find the current doc, so I can track as you correct? Thanks.

To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z3XED3_D%3Dtq7_U-t%3Dh0k62NCaQwe4apMMvamU%3DZ4t8tSQ%40mail.gmail.com.

--

  Cheers,
  --MarkM

[Alan Karp]

It's now on my website at https://alanhkarp.com/UseCases.pdf.

--------------
Alan Karp

To view this discussion visit https://groups.google.com/d/msgid/friam/CAK5yZYjrr3ezEXfBuu8qqis%2ByUEFmkS9cV61J-zbAyy7NgMTCQ%40mail.gmail.com.

[Mark S. Miller]

"A jurisdiction, sometimes referred to as a domain"

Neither "jurisdiction" nor "domain" mean what they normally do, so in this context I still don't know what you mean by either one.

To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z1P8NbcooQ%3Dm77skny1iVEE%2B8HM7v%2BFDM4sEW6aOHvMuQ%40mail.gmail.com.

--

  Cheers,
  --MarkM

[Mark S. Miller]

"administrative domain" perhaps?

--

  Cheers,
  --MarkM

[Alan Karp]

One definition I found is, "A jurisdiction is defined as the authority of a court, government, or legal entity to make, enforce, and administer laws over a specific territory, person, or activity."

A business is a legal entity, and it administers its rules (laws) over specific territory (its resources), person (employees), or activities (access requests).  I agree that I'm pushing the definition, but I think it's close enough for this writeup.

--------------
Alan Karp

To view this discussion visit https://groups.google.com/d/msgid/friam/CAK5yZYix_NX6tSfyRY8dH%3DpGZqnUVHRUFM1XqRvb4Sny6DrH3A%40mail.gmail.com.

[Matt Rice]

> A capability-based operating system handles this problem more directly. When you login to
> the computer, you communicate with a user agent that has all your permissions.

> When you tell your user agent to start a program to work on some resource, such as to edit a file, your user

> agent starts the editor and delegates the subset of your permissions the program will need. As a result,

> you are able to enforce the Principle of Least Privilege on the programs you run

I'd just say I'm not a big fan of this explanation, it seems to ascribe to a capability system,

what seems to me to be a lot to me more like the unixy principle of least privilege where you have a default set of permissions

that programs run with but you can drop some.

Rather than the more capability principle of least authority where you start with an empty set of authorities and can add some when running a program.

This to me has always been the distinction which differentiates the principles of least authority and privilege.  So the "subset of your permissions" falls

a little too close to the wrong definition for my tastes.  But this is also quite possibly just me being too pedantic for the target audience.

To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z1P8NbcooQ%3Dm77skny1iVEE%2B8HM7v%2BFDM4sEW6aOHvMuQ%40mail.gmail.com.

[Alan Karp]

Do you have a better way to word that concept?

--------------
Alan Karp

To view this discussion visit https://groups.google.com/d/msgid/friam/CACTLOFoTjtK6XpJ1FHf_GjXmqCSrPnAZ9U4rTioHNt4gU-RxBg%40mail.gmail.com.

[Matt Rice]

Never been good with words, i'd try something like:

When you tell your user agent to start a program, by default it runs it with no authority.

To work on some resource, such as to edit a file, you must tell your user agent to grant the authority necessary to fulfil 

the task. As a result, you are able to enforce the Principle of Least Authority on the programs you run.

To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z2Dgm7RiExhzjjzyomqQk%2Bw5bSLJfec1g%2B8hL6LNMTJVg%40mail.gmail.com.

[Matt Rice]

This perhaps also requires some sort of additional text noting that you can tell the user agent to always

give permissions to some file such as font data, etc, for authorities that are "beneath mention", that you don't

want to be bothered to specify each time you want to edit a file.

I think the above is somewhat implicit in your original text, and my suggested change removes that.

[Alan Karp]

That's close.  In fact, the program starts with some permissions, such as its fonts, as noted in the footnote.  So, I would say,

"When you tell your user agent to start a program to work on some resource, such as to edit a file, your user agent starts the program, which initially has none of your permissions, and delegates the subset of them the program will need."  

(I don't want to get into the whole authority vs. permissions business.)

--------------
Alan Karp

To view this discussion visit https://groups.google.com/d/msgid/friam/CACTLOFoauh%3DHBE%3DrVOY2bhxCwSvZgECgn6jJDmm172_cqZEtdg%40mail.gmail.com.

[Alan Karp]

That's in the footnote.

--------------
Alan Karp

To view this discussion visit https://groups.google.com/d/msgid/friam/CACTLOFpE%3DcvwSAmVrEgqc8LBcif142huxsSLrS4qC4yhMqqPNg%40mail.gmail.com.

[Matt Rice]

On Mon, Aug 18, 2025 at 9:34 PM Alan Karp <alan...@gmail.com> wrote:

That's close.  In fact, the program starts with some permissions, such as its fonts, as noted in the footnote.  So, I would say,

"When you tell your user agent to start a program to work on some resource, such as to edit a file, your user agent starts the program, which initially has none of your permissions, and delegates the subset of them the program will need."  

No qualms with that wording...

 

To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z31btdkx7z2vHFk7xWdCPf9gTbxBr7qQbMr9H1RQzcCwQ%40mail.gmail.com.

[Alan Karp]

Thanks.  The change will appear on the web site after I see if there are going to be more changes.

--------------
Alan Karp

To view this discussion visit https://groups.google.com/d/msgid/friam/CACTLOFr0_6b0TT%2BBEU4ZJrHYYQi3r8z89nKAJQ-1XJ1fTKkKZw%40mail.gmail.com.