[cap-talk] getting authorization from the user and the great insight

Fri Oct 5 02:35:51 EDT 2007

At 09:46 PM 10/4/2007, ihab.awad at gmail.com wrote:
>On 10/4/07, Jed Donnelley <jed at nersc.gov> wrote:
> > In the context of running computer programs
> > I use that term to denote the granting of
> > a permission to access an object.  I very much
> > doubt your sentence ever appeared as an
> > object that was access controlled.
>
>If I highlight a sentence in component A and drag it to component B,
>assuming everything is written in a fine-grained capability runtime
>such as E, B gets a reference to a TextSnippet object from A. This
>object *is* a capability in that it conveys authority hitherto
>unavailable to B. One would assume that either A makes a defensive
>copy, or wraps the text in an object that ensures no other part of the
>text is leaked over to B.

>So the piece of text is protected by capability security.

Hmmm.  I find it bit odd conveying pass by value data by
such a reference.  Generally when I think of a message
moving between domains (vats, processes) I distinguish
between the data that moves, which I don't consider an
authorization, and any capabilities that move, which I
do consider authorizations.  Why make up a reference to
point to pass by value data?

>To use your city hall analogy, if I walk up to someone and dictate to
>them my bank account details, I *am* giving them authority.

I agree, but giving them the time of day is not.  My
distinction is between pass by value data and a reference
to an object.

>So I guess my point is that, in the general sense, no class of actions
>can be partitioned out as being devoid of authority implications by
>virtue of application programming concerns alone. Some typing of ascii
>text may convey huge amounts of authority, while some dragging,
>dropping and linking of objects may convey no useable authority at all
>(e.g., if I drag a URL to a resource that is well known to everyone
>anyway, like the Google logo GIF file).

Mine is that I want to have clearly defined in my UI
what the authority granting implications are of any actions
I take.  I consider the above copying of text as so trivial
a granting of "authority" that I don't care about it and
would prefer to strip it of the name.  The bank account
example, however, if it includes details like a pin that
can grant full access, then I do consider that granting
authority and I consider it very significant.  I don't
want to take what I consider to be a trivial UI action
and have it "harvested" to grant access to my bank account
to some other party.

I believe the examples that I listed of UI actions:

1.  Double click an object icon
2.  Drag and drop a reference onto an icon or into a window
3.  Grant access through a "Power Box" selection
4.  Copy and paste a reference (not just text or graphics)
5.  Grant access to a container (e.g. as 1-4).

can be made to clearly coordinate a user action with
an understood nontrivial authorization.  The significance
of the authorization may be tied to the importance of
the object to which access is being granted.  I just
want to be clear that my actions do or do not grant
such an authorization to the objects in my domain.

Doubtless there are many more UI actions that could fall
into this category.  I just want to have them carefully
defined/distinguished from actions that don't convey
authority (significant authority).

Am I using this "authorization" terminology in a way
that is contrary to what has become deeply rooted common
usage in some circles such as computer security circles?

If so then perhaps I need a term other than "authorization"
to get at what I am looking for?  I think that would be
unfortunate, but sometimes it happens.

--Jed  http://www.webstart.com/jed-signature.html 