Practical Principles for Computer Security 

Butler Lampson


Citation: In Software System Reliability and Security, Proceedings of the 2006 Marktoberdorf Summer school.

Links: Abstract, Acrobat, Web page, Word. Slides for the lectures, which present much of the same material, are here.

Email: This paper is at



The standard model for computer security is access control: deciding whether or not to accept a request from a source to do an operation on an object. Determining the source of a request is called authentication; deciding whether to accept it is called authorization.

In a system with many parts, especially when they are managed by different authorities, determining the source of a request is not simple. The authorization policy is probably something like “members of the Alpha project team may read and write the files in the /projects/alpha directory”. The direct information that the object has about the source of the request is usually that it was signed by some cryptographic key. These lectures are about bridging the gap between the key and the project team.

The key ideas are principals, a relation between principals called “speaks for”, a logic for reasoning about what resources a principal can speak for, and rules for abstracting from the bits exchanged among interacting parties to logical formulas. These ideas provide a way to reason formally about delegation, names, groups, computer systems, applications, and authorization policy.