[cap-talk] Authority vs. Information Flow

David Wagner daw at cs.berkeley.edu
Sat Feb 16 19:14:31 EST 2008 

Toby Murray writes:
>It's worked pretty well so far. 
>
>In general, we can't know for sure whether *any* definition is
>definitely appropriate.

I guess where I'm going is that if I simply refuse to accept this as
the proper definition, the "paradox" evaporates.  Right now, that looks
like the easier way out. :-)

The following work on causality might be of interest:

http://singapore.cs.ucla.edu/LECTURE/lecture_sec1.htm
http://singapore.cs.ucla.edu/IJCAI99/index.html

The "firing squad" and "light switch" examples in the second talk
seem closely relevant here.

>Moreover, I can test for it in a CSP model checker,
>which is very handy indeed.

Well, okay, but we do have to be careful of the "I'm looking for my
keys under the lamppost because that's where the light is, not where
I dropped them" effect.  I know this isn't the reason you chose that
definition but I want to highlight that I don't find this a good reason
to choose one definition over another.

>Yes, but this same system is also likely to have the traces:
>
>(Alice tries to press the button, the light turns on, Bob sees the light
>turn on)

This is not a possible trace, since you stipulated that Dave's
behavior is fixed and immutable and he will always try to press
the button.

>> >I think it is dangerous to argue that Alice has no authority to cause
>> >Bob to see the light turn on here.
>
>> I guess I don't see the danger yet.  Can you spell it out?  What
>> harmful consequence might this have?
>
>Underestimating the authority of an untrusted subject is surely
>dangerous. 

But suppose my contention is that I have not underestimated the
authority of Alice; on the contrary, I have estimated it exactly
accurately.  I'm suggesting we should take this one step further:
what's the harmful consequence?  If you gave an example where my
kind of reasoning led me to overlook a security vulnerability or
make a decision we can all agree was poor, then I'd be concerned.
So far, though, I don't see any negative consequences either way;
it's just a disagreement over how we should use the word "authority".

>This is the interesting thing about causation. Two people can have
>wildly different intuitions. (This is also why agreeing on a definition
>for it will be tricky ;)

Yes. :-)

>Even if Dave's behaviour isn't fixed. I'd still argue that Alice has
>authority to invoke the light.

I'm arguing:

 * If Dave's behavior is fixed, Alice doesn't seem to have the authority.
 * If Dave's behavior isn't fixed, Alice does have the authority
   (or, if Dave's behavior is unknown, we must conservatively assume
   that Alice may have the authority).

So it sounds like we agree on the second claim, and are disagreeing
only on the first.

>I'd also like it to agree with people's intuitions.
>
>However, as this discussion has shown, people's intuitions  don't agree
>with each other's anyway, so this last goal seems elusive indeed.
>
>The people on this list are perhaps the most qualified that I know of to
>give their intuitions on authority; particularly in capability systems.
>I was hoping that there would be a consensus one way or the other here,
>but we still have some way to go to a shared definition of authority.

Yes, a good goal indeed.  It's always possible our intuitions are wrong
and that we will need to revise our intuitions.  It's nice to preserve
intuitions where ever possible but occasionally a careful analysis shows
that our intuitions must be discarded -- so while we should strive to
respect our intuitions, they aren't inviolable.

I'm glad that you are probing these issues carefully, because the notion
of "authority" is a slippery one that has not (to my knowledge) been
pinned down carefully but rather has been left to intuition.

More information about the cap-talk mailing list