Askemos

Absolute power corrupts absolutely.

---

A system of rules about rights qualifies as incorruptible, if it is proven that no individual actor (or group of those) can possibly impersonate any individual under those rules.

Note that this is a purely logical, calculated predicate. To be effective in reality this assertion needs to be combined with non-repudiable audit trail.

---

An incorruptible rule set (see also LAW) can be constructed:

Each user account is the root of a extensible hierarchy of permissions/rights the user might create and convey.

The system ensures only one important property: rights are inalienable. That is: if a permission is to passed from one user to another (granted) the kernel checks that the account does have the right and it that the permission is a strict subset of some retained permission. (While owning the superset allows to revoke permissions back again.)

Due to the strict subset rule, no user will ever have all permissions of any other user. Furthermore it is also impossible that the receiver of some right could leak it to a third party.

A Footnote

Abusing local administrative power to change each bit would still be possible. That's why the incorruptible property must be used within a non-repudiable execution environment like BALL . For best practice see hetereogeneous security