[cap-talk] Partial authority

Toby Murray toby.murray at comlab.ox.ac.uk
Tue May 8 05:48:58 EDT 2007 

On Tue, 2007-05-08 at 03:05 +0100, David Hopwood wrote:
> Pierre THIERRY wrote:
> > Scribit David Hopwood dies 07/05/2007 hora 17:35:
> > 
> >>I.e. the definition says that both alice and bob are involved in the
> >>causal chain that leads to run() being sent to ted.
> > 
> > That's not exactly the wording of the original definition, which said "o
> > has the authority to cause e to occur". Here it would then conclude that
> > alice or bob each has the authority to run ted, which seems erroneous to
> > me, because alice cannot run ted without bob's help and vice versa.
> 

Technically, the defn says that both alice and bob each have authority
to cause the event "ted.run()" to occur. Each can cause it to occur
(provided the other takes part too). This fits with my intuition, but
intuition is often a subjective thing.

In either case, whatever you intuition, having a definition of authority
that errs on the side of caution is often a good thing from a security
standpoint. Certainly having a definition that underestimates a
subject's authority is not a good thing. Hence, I think having a defn
that excludes the possibility that alice or bob has authority to run ted
would be dangerous, since clearly both can cause ted to run (but not
alone).

If one wanted to find out whether alice has authority to cause ted to
run without bob's help, then one could perform the same analysis
restricting one's attention to all traces that don't contain any "bob"
events.

In this case, we wouldn't even find any traces with "ted.run()" in them.
Hence, we can easily find out whether a subject is able to cause an
event without another subject's help -- if that's what you're interested
in.

There are other variations on this sort of analysis that can tell you
other things such as whether a particular subject has exclusive
authority to cause some event, and so on. In each case, we restrict our
attention to a subset of the total set of traces for our system.


<snip>

> In any case, the definition doesn't seem to correspond to an intuitive
> notion of authority in cases where the same event can happen as a result
> of causal chains involving any of several principals. I'm curious to hear
> Toby's response to that.

See my response to the original  message and my apologies for the delay.
I've been away from email for a couple days.

Cheers

Toby

More information about the cap-talk mailing list