[cap-talk] ... enforcement - hope? Capabilities as clumsy, not
markm at cs.jhu.edu
Wed Sep 29 21:11:56 EDT 2004
David Wagner wrote:
> Based on what I've read here, the definition of "ambient authority system"
> on this list seems to be any system where a process has associated
> with it an implicit set of rights, where when the process performs
> some operation (e.g., makes a syscall), the reference monitor checks
> whether there exists any right in the processes' set that would permit
> the operation to succeed.
> In other words, ambient authority systems are ones where the process does
> not explicitly state which of its rights it is wielding (which of its
> rights it thinks demonstrates that the operation should be permitted).
> Rather, this is left implicit, and as a result the reference monitor has
> to guess at which right the process intended to use for this operation.
AFAIK, the term "ambient authority" was coined simultaneously and
independently by myself and Dean Dribble, in order to explain what was wrong
with the "Netscape capability" system. To us, it clearly wasn't a capability
system (or what we'd now call an "object-capability" system). But it had some
things in common with capabilities, including a kind of least authority
support that, I take it from the discussion, might be compared to Sys trace.
AFAIK, Dean and I even independently chose the same meaning for this term. I
believe David's explanation above represents this meaning accurately. I
believe "Capability Myths Demolished"
<http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf> (see also
<http://www.eros-os.org/pipermail/cap-talk/2003-March/001133.html>) states a
compatible distinction, and uses it to categorize various access control
models -- including some ambient authority systems that, like "Netscape
capabilities", have used the term "capability" to describe themselves.
Text by me above is hereby placed in the public domain
More information about the cap-talk