[cap-talk] Toby's Confused deputy statement (was: Re: Confused deputies in hybrid systems)

Wed Feb 6 04:03:58 EST 2008

On Tue, 2008-02-05 at 21:31 -0500, Jonathan S. Shapiro wrote:
> On Tue, 2008-02-05 at 22:31 +0000, Toby Murray wrote:> 
> > If we restrict our attention to "all of the operations thatmight be
> > induced to occur by the actions of a particular entity proceeding from a
> > given configuration" then we can define the authority that the entity
> > possesses in this particular configuration.
> 
> I think that it is not so simple as that, because those operations need
> to include the operations of downstream entities that are invoked
> consequentially. Some definition along these lines might be made to
> work, but this doesn't seem to be it yet.

Indeed. But this would appear to be a property akin to "transitivity".
If the actions of object, o, can cause downstream object, p, to perform
some action, e, and if the occurrence of e subsequently causes some
further downstream entity to perform some action, f, then we merely
require that o should be considered to have (helped) caused f. (i.e. the
causation property is transitive.)

If this is the case, then hopefully we cover all bases.

> > >  In consequence, authority does
> > > not grow, and we cannot sensibly speak about "getting more authority" as
> > > the result of an action that is (at some point) permitted when
> > > proceeding from a given state.
> > 
> > I see your point. But we can measure the difference between the
> > authority that an entity has when it can, and cannot, perform a
> > particular action.
> 
> Yes. I think this is another way of saying that we can partition the
> universe of future states into the set in which some class of actions of
> interest did or did not occur.

Good, I'm glad we agree.

> 
> >  In this way, we may quantify the authority that the
> > entity may wield through performing a particular action. If this action
> > is possible only because the entity possesses a particular capability,
> > then we may quantify part of the authority granted to the entity by this
> > particular capability. If we repeat this process for all of the
> > different actions allowed by a particular capability, then we may
> > quantify the authority that this capability grants to a particular
> > entity.
> 
> That seems plausible, but I am concerned that this may be one of those
> places where there is a subtle modeling problem. In particular, we need
> to consider two cases in which subject S0 performs some operation O:
> 
>   1. The case in which S0 is, in some sense, the initiator of O
>   2. The case in which S0 performed operation O in response to some
>      invocation made on S0 by a third party.
> 
> The tricky part here is that if we prohibit O altogether, we may cause
> other subjects to fail in various ways because we eliminated type [2]
> invocations, and this will alter the entire multiverse of authority.
> 
> I am not sure how to proceed here. I simply raise the issue. Offhand,
> the issue seems to imply a need to define some sense of "intent" -- at
> least for some forms of analysis. That strikes me as a potentially
> sticky wicket. Possible in some cases, but frought with opportunities
> for erroneous models.
> 

I see your point. This is the sort of issue I'd be hoping to avoid
having to deal with but it may arise inevitably. 

> > Untrusted entities (those whose
> > behaviour we know nothing or little about) should be approximated so as
> > to exhibit all legal behaviours given the initial conditions of the
> > system. In this way, we can get a conservative bounds on the authority
> > of different entities within the system.
> 
> I believe that by "legal" you mean "all actions that are possible given
> the permission state that exists at the time of the action". Not to be
> confused with "all actions that were considered right and proper at the
> time of the action."

Indeed. Is there a better term than "legal" for what I'm trying to say
here?

> > > 
> > >   2. Under this definition of authority, the closest I think we can come
> > >      to speaking about "getting more authority" is inducing a partition
> > >      on the universe of future computational states, one subset being
> > >      the future states in which the action that "got more authority"
> > >      never occurred.
> > 
> > I think this corresponds to what I said above about measuring the
> > difference between a subject's authority when it may, and may not,
> > perform a particular action. Let me know if I've misinterpreted you here
> > though.
> 
> We seem to be converging. Did my comments above address this point?

Yes.

> 
> > > I am assuming that ANY process is either modeled or must be presumed to
> > > conspire. In this sense, it is worse than a proxy (as you defined it)
> > > because it can be requested to combine capabilities on behalf of the
> > > client.
> > 
> > Good point. The service may also combine capabilities passed to it with
> > ones that it already possesses but the client does not.
> 
> Precisely. Because of this, if we must resort to informal labels, I
> think it is better to refer to such a process as a "conspirator". The
> label "proxy" implies a process that is attempting to execute the
> client's will in a fairly direct way. This leads one into intuitions
> that assume predictable behavior of a sort that doesn't seem right for
> this type of model.
> 

I agree completely.