[cap-talk] Toby's Confused deputy statement (was: Re: Confused deputies in hybrid systems)

Toby Murray toby.murray at comlab.ox.ac.uk
Tue Feb 5 17:31:38 EST 2008 

On Tue, 2008-02-05 at 11:10 -0500, Jonathan S. Shapiro wrote:
> I think at this point we agree about what is going on, but I don't think
> that this generalization is strictly right. I want to push this
> discussion a little further in an attempt to clarify what we mean by
> "authority" in order to explain why.
> 
> Authority is an emergent property. It is, in effect, all of the
> operations that might be induced to occur (effected) in the system by
> proceeding from a given configuration.

If we restrict our attention to "all of the operations thatmight be
induced to occur by the actions of a particular entity proceeding from a
given configuration" then we can define the authority that the entity
possesses in this particular configuration.

>  In consequence, authority does
> not grow, and we cannot sensibly speak about "getting more authority" as
> the result of an action that is (at some point) permitted when
> proceeding from a given state.

I see your point. But we can measure the difference between the
authority that an entity has when it can, and cannot, perform a
particular action. In this way, we may quantify the authority that the
entity may wield through performing a particular action. If this action
is possible only because the entity possesses a particular capability,
then we may quantify part of the authority granted to the entity by this
particular capability. If we repeat this process for all of the
different actions allowed by a particular capability, then we may
quantify the authority that this capability grants to a particular
entity.

Of course, we can only do this if we can approximate the behaviour of
the various entities within the system. Untrusted entities (those whose
behaviour we know nothing or little about) should be approximated so as
to exhibit all legal behaviours given the initial conditions of the
system. In this way, we can get a conservative bounds on the authority
of different entities within the system.

> 
> It may be that we will come back to the informal English convention that
> you adopted above, but I want to understand what it means. 

Indeed. I agree.

> I see two
> issues:
> 
>   1. It is difficult to speak about the authority of a single process,
>      because authority is a transitively emergent property. So I must
>      ask: what do you mean when you speak about the authority of a
>      process? [You made a cut at this below]

Hopefully I've clarified this above but feel free to push me further
here. (I got approval today from the department to officially spend the
rest of my doctorate on this stuff so I better know what I'm talking
about ;)

> 
>   2. Under this definition of authority, the closest I think we can come
>      to speaking about "getting more authority" is inducing a partition
>      on the universe of future computational states, one subset being
>      the future states in which the action that "got more authority"
>      never occurred.

I think this corresponds to what I said above about measuring the
difference between a subject's authority when it may, and may not,
perform a particular action. Let me know if I've misinterpreted you here
though.

> 
> As I say, I have no objection to going back to informal language, but
> I'ld like to understand clearly what we actually mean when we use it.

I agree completely.

> > > The problem here is one of analytic detail. If we are prepared to
> > > analyze the behavior of the service (i.e. its program) then it may be
> > > possible to draw sensible distinctions between the authority of the
> > > service and the authority of its client.
> > > 
> > > But in the absence of such analysis, I believe that we must proceed more
> > > conservatively, and assume that the service obeys the will of its
> > > clients. Under this assumption, and excluding other environmentally
> > > imposed restrictions, the client's authority is presumptively identical
> > > to the service's authority.
> > > 
> > 
> > Essentially you're assuming the service is akin to a proxy then?
> 
> I am assuming that ANY process is either modeled or must be presumed to
> conspire. In this sense, it is worse than a proxy (as you defined it)
> because it can be requested to combine capabilities on behalf of the
> client.

Good point. The service may also combine capabilities passed to it with
ones that it already possesses but the client does not. (Of course, the
client would have no way to ask the service to do this, but if we model
the service to exhibit all possible behaviours, then we will of course
cover this case and detect that it can be confused.)

More information about the cap-talk mailing list