[cap-talk] ... enforcement - hope? Capabilities as clumsy, not

Mark Miller markm at cs.jhu.edu
Wed Sep 29 21:11:56 EDT 2004

David Wagner wrote:
> Based on what I've read here, the definition of "ambient authority system"
> on this list seems to be any system where a process has associated
> with it an implicit set of rights, where when the process performs
> some operation (e.g., makes a syscall), the reference monitor checks
> whether there exists any right in the processes' set that would permit
> the operation to succeed.
> In other words, ambient authority systems are ones where the process does
> not explicitly state which of its rights it is wielding (which of its
> rights it thinks demonstrates that the operation should be permitted).
> Rather, this is left implicit, and as a result the reference monitor has
> to guess at which right the process intended to use for this operation.

AFAIK, the term "ambient authority" was coined simultaneously and 
independently by myself and Dean Dribble, in order to explain what was wrong 
with the "Netscape capability" system. To us, it clearly wasn't a capability 
system (or what we'd now call an "object-capability" system). But it had some 
things in common with capabilities, including a kind of least authority 
support that, I take it from the discussion, might be compared to Sys trace.

AFAIK, Dean and I even independently chose the same meaning for this term. I 
believe David's explanation above represents this meaning accurately. I 
believe "Capability Myths Demolished" 
<http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf> (see also 
<http://www.eros-os.org/pipermail/cap-talk/2003-March/001133.html>) states a 
compatible distinction, and uses it to categorize various access control 
models -- including some ambient authority systems that, like "Netscape 
capabilities", have used the term "capability" to describe themselves.

Text by me above is hereby placed in the public domain


More information about the cap-talk mailing list