[cap-talk] Is "Authority" Subjective?

Toby Murray toby.murray at comlab.ox.ac.uk
Mon Jun 25 05:43:12 EDT 2007 

On Sun, 2007-06-24 at 14:57 -0700, David Wagner wrote:
> David Hopwood writes:
> >If we don't know the code of bob, then for a conservative analysis,
> >don't we want to consider the maximum authority that alice might have
> >for any instantiation of bob?
> 
> Yes, in some cases I think that is one reasonable way to talk about
> things.  In my list of two potential ways we might use the language
> "authority over Bob", it is Usage #2.  You have to be careful about the
> use of quantitiers: We'll consider the implementation Bimpl of Bob such
> that the authority of Alice over Bimpl is maximized, where to define
> the authority of Alice over Bimpl we now need to hold Bimpl fixed.
> 
> In any case, even if we vary the implementation of Alice and consider
> the implementation of Bob that provides Alice with the maximal authority,
> I assert we may still want to hold some or all of the other actors fixed,
> even as we consider the worst-case implementation of Bob (and even as we
> vary Alice's implementation, to perform the counterfactual reasoning).
> 
> Are you suggesting we should treat Toby Murray's process P as solely a
> specification of the rules enforced by the security monitor (i.e., as the
> "rules of the game" that restrict what kinds of behavior for Alice and Bob
> and Carol are admissible), rather than as also specifying the behavior of
> Alice or Bob or Carol?  In other words, I'd like to understand whether
> the CSP process P is intended to model only the "rules of the game"
> enforced by the security monitor, or whether it is also intended to
> specify the actual behavior/implementation of some or all of the actors.

Both, depending on what you want. Subjects that you trust a lot about
their behaviour can be modelled with fairly restrictive behaviour that
mirrors your expectations about how they're likely to act in practice.
Subjects that you don't trust will be modelled with maximum behaviour
(i.e. the most nondeterministic subject that plays by the rules of the
game). In all cases, subjects are modelled to pay by the rules of the
game.

usually the security-enforcing subjects are trusted. Hence we model
their behaviour precisely. Adversaries and other untrusted subjects are
given maximal behaviour. usually it's the same untrusted subjects that
we're trying to measure the authority of. But we might just want to know
for a particular behaviour of Alice, whether she can influence Bob. In
this case we just restrict our model to only include this partular
behaviour of Alice.

I hope that sounds OK.

More information about the cap-talk mailing list