[cap-talk] Is "Authority" Subjective?

[David Wagner]

David Hopwood writes:
>If we don't know the code of bob, then for a conservative analysis,
>don't we want to consider the maximum authority that alice might have
>for any instantiation of bob?

Yes, in some cases I think that is one reasonable way to talk about
things.  In my list of two potential ways we might use the language
"authority over Bob", it is Usage #2.  You have to be careful about the
use of quantitiers: We'll consider the implementation Bimpl of Bob such
that the authority of Alice over Bimpl is maximized, where to define
the authority of Alice over Bimpl we now need to hold Bimpl fixed.

In any case, even if we vary the implementation of Alice and consider
the implementation of Bob that provides Alice with the maximal authority,
I assert we may still want to hold some or all of the other actors fixed,
even as we consider the worst-case implementation of Bob (and even as we
vary Alice's implementation, to perform the counterfactual reasoning).

Are you suggesting we should treat Toby Murray's process P as solely a
specification of the rules enforced by the security monitor (i.e., as the
"rules of the game" that restrict what kinds of behavior for Alice and Bob
and Carol are admissible), rather than as also specifying the behavior of
Alice or Bob or Carol?  In other words, I'd like to understand whether
the CSP process P is intended to model only the "rules of the game"
enforced by the security monitor, or whether it is also intended to
specify the actual behavior/implementation of some or all of the actors.