[cap-talk] Is "Authority" Subjective?

Toby Murray toby.murray at comlab.ox.ac.uk
Fri Jun 22 10:48:08 EDT 2007 

On Fri, 2007-06-22 at 16:40 +0200, Pierre THIERRY wrote:
> As I have understood
> it from various discussions and presentations about capabilities, here
> we mean that a subject A has a permission on object B if A can invoke
> some methods of B, and that A has an authority on B if A can use some of
> its permissions for some methods of B to be invoked.

This appears objective -- or perhaps I mean "well-defined" (probably
"subjective" wasn't the word I wanted originally but never mind). What
we probably mean by authority is:

A has authority over B if A can use some of its permissions to /cause/ B
to do something (whether respond to an invocation or whatever doesn't
matter -- I'm not limiting myself to the object-capability model here.)

> > Argument 1: Before Alice acts, Bob can perform b -- the system won't
> > refuse it. After Alice finishes acting, Bob can perform b -- the
> > system won't refuse it. With and without Alice acting, Bob can still
> > perform b.  Hence, Alice doesn't cause Bob to perform b and hence, has
> > no authority to do so. 
> 
> I'm not sure that stands. Wether Bob may decide to do b indepently of
> the request of Alice is orthogonal to wether Bob will do b if Alice
> requests it.
> 
> If Bob is coded to serve each request of Alice to do b, then Alice has
> the authority to do b.
> 

I think my original example was misleading. let me present the same
example but with concrete event names to try to show a clearer picture
of what I mean here.

Suppose we have 3 objects/subjects/actors/whatever, Alice, Bob and Carol
and the system is 

P = aliceInvokesCarol -> carolRespondsToAlice -> bobInvokesCarol -> STOP
[]
    bobInvokesCarol -> STOP

i.e. initially either Alice or Bob can invoke Carol. Once invoked by
Alice, Bob can't invoke Carol until she responds to Alice. 

Would you say that Alice can cause Bob to invoke Carol?

This is the same question as before but hopefully more intelligible.
Apologies for the opaque example first time round and thanks for your
thoughts so far.

Cheers

Toby

More information about the cap-talk mailing list