[cap-talk] Toby's Confused deputy statement (was: Re: Confused deputies in hybrid systems)

Jed Donnelley jed at nersc.gov
Wed Feb 6 14:43:46 EST 2008


On 2/6/2008 1:03 AM, Toby Murray wrote:
> On Tue, 2008-02-05 at 21:31 -0500, Jonathan S. Shapiro wrote:
...
>> I am not sure how to proceed here. I simply raise the issue. Offhand,
>> the issue seems to imply a need to define some sense of "intent" -- at
>> least for some forms of analysis. That strikes me as a potentially
>> sticky wicket. Possible in some cases, but frought with opportunities
>> for erroneous models.

Whew, I hope not.  The notion of the authority that a
capability adds seems pretty clear to me (operations,
no matter how emergent, that can be performed with the
capability, but not without it).

>>>>   2. Under this definition of authority, the closest I think we can come
>>>>      to speaking about "getting more authority" is inducing a partition
>>>>      on the universe of future computational states, one subset being
>>>>      the future states in which the action that "got more authority"
>>>>      never occurred.
>>> I think this corresponds to what I said above about measuring the
>>> difference between a subject's authority when it may, and may not,
>>> perform a particular action. Let me know if I've misinterpreted you here
>>> though.
>> We seem to be converging. Did my comments above address this point?
> 
> Yes.

Converging I would say, but the terminology still sounds
what I hope is unnecessarily convoluted.

>>>> I am assuming that ANY process is either modeled or must be presumed to
>>>> conspire. In this sense, it is worse than a proxy (as you defined it)
>>>> because it can be requested to combine capabilities on behalf of the
>>>> client.
>>> Good point. The service may also combine capabilities passed to it with
>>> ones that it already possesses but the client does not.
>> Precisely. Because of this, if we must resort to informal labels, I
>> think it is better to refer to such a process as a "conspirator". The
>> label "proxy" implies a process that is attempting to execute the
>> client's will in a fairly direct way. This leads one into intuitions
>> that assume predictable behavior of a sort that doesn't seem right for
>> this type of model.
> 
> I agree completely.

In the interest of simplicity can we try the modification of
Toby's original (simple) statement that I suggest in:

http://www.eros-os.org/pipermail/cap-talk/2008-February/009831.html

Namely:
__________
In any case in which a service may get more authority than its client
from a capability, the service is potentially confusable by that
capability sent from the client.
__________

Perhaps a bit subtle, but I'll be interested in Jonathan's
reaction particularly.  In this form the statement refers
to the authority that the client and the server "get"
from a capability - e.g. as if there was no other consideration,
the capability just arrived out of the blue.  Only in
the last clause does it refer to the confusion possible
if the capability is communicated from the client to
the server.

In fact, now that I think of it, there seems to be an
interesting case hidden in there.

Suppose both the client and the server already
have all the authority that might be afforded
by the new capability?  In such a case if the
communication of the capability from client
to server doesn't add any authority to the
server but was still authority possessed
by the client, is that still a case where
there can be "confusion" induced in the server?

Odd case.

--Jed http://www.webstart.com/jed/



More information about the cap-talk mailing list