[cap-talk] Partial authority
David Hopwood
david.hopwood at industrial-designers.co.uk
Mon May 7 22:05:37 EDT 2007
Pierre THIERRY wrote:
> Scribit David Hopwood dies 07/05/2007 hora 17:35:
>
>>I.e. the definition says that both alice and bob are involved in the
>>causal chain that leads to run() being sent to ted.
>
> That's not exactly the wording of the original definition, which said "o
> has the authority to cause e to occur". Here it would then conclude that
> alice or bob each has the authority to run ted, which seems erroneous to
> me, because alice cannot run ted without bob's help and vice versa.
That's a valid point, although arguably "o is involved in the causal chain
that leads to e" is still useful for security analysis, since then we know
that it *may* be possible to prevent e by excluding some behaviours of o.
(The definition does not guarantee that we can prevent e by excluding some
behaviours of o. If o is not involved in the causal chain that leads to e,
OTOH, then we know that changing the behaviour of o is useless in trying
to prevent e.)
In any case, the definition doesn't seem to correspond to an intuitive
notion of authority in cases where the same event can happen as a result
of causal chains involving any of several principals. I'm curious to hear
Toby's response to that.
--
David Hopwood <david.hopwood at industrial-designers.co.uk>
More information about the cap-talk
mailing list