[cap-talk] Authority is always potential (was: Re: Reinterpreting POLA...)

Mark Miller erights at gmail.com
Wed Sep 19 21:36:04 EDT 2007 

First, I must admit I've only been skimming this thread, so my
apologies if my remarks are redundant, irrelevant, or already refuted.
But from the skimming I've done, it seems to me we keep dancing around
a distinction that, IIUC, Fred got right in his thesis.

Authority is about causality. Causality is about counter-factuals,
i.e., reasoning over sets of possible worlds consistent with one's
partial knowledge. If you have full knowledge of an actual system,
including the actual behavior of all the objects in the system under
all conditions, then causality and authority are meaningless in
attempting to describe this system. (To the creatures simulating our
universe, "I" didn't cause this email message to be sent. The actual
universe is the only possible universe, and the initial conditions of
the universe already pre-determined that my hand would move to press
the send button. It couldn't be any other way.)

Fred's thesis distinguishes relied-upon objects from non-relied-upon
objects. For a given system and a given stakeholder, that stakeholder
will rely upon some objects to constrain the behavior of other objects
they don't rely upon. The stakeholder's security analysis depends on
modeling the behavior of their relied upon objects, i.e., of the
objects whose behavior they rely on to be within the model of behavior
they construct. For these objects, one does not speak of the authority
they have, and one does not need to. The stakeholder cares to know a
bound on the authority non-relied upon objects may come to possess.
These are exactly the objects whose behavior the stakeholder assumes
himself ignorant of. Any possible behavior, within the constraints of
the other relied upon behaviors, is within the set of universes this
stakeholder considers possible. The stakeholder therefore cares what
authority their relied upon objects *provide to* non-relied upon
objects.

Of course, one should also worry about whether one's models of relied
upon objects are correct. Within a system such as Fred's, one can ask,
for each relied upon object, what if we considered this a non-relied
upon object? What's the worst that it could do? I would say that the
answer tells us how much authority that object has. But to make this
answer meaningful, I had to change the question.

-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM

More information about the cap-talk mailing list