[cap-talk] Authority vs. Information Flow
daw at cs.berkeley.edu
Sun Feb 17 20:50:27 EST 2008
Toby Murray writes:
>On Sun, 2008-02-17 at 10:43 -0800, David Wagner wrote:
>> I don't think this situation is analogous to "Will Bob see the
>> light?" The reason is that the caller of Carol gets to control
>> the contents of what Carol writes into the file.
>I don't see how this matters. (This obviously hints that I don't
>understand your argument. I hope to rectify this.)
In the "Will Bob see the light turn on" situation, whether Alice or
Dave is the first one to actually push the button makes no observable
difference. Bob can't distinguish between those two cases.
In the "Who writes to the file" situation, whether Alice or Dave is
the first to trigger the write to the file does make an observable
difference. You can potentially distinguish between the two by looking
at the contents of the file.
Therefore, the two situations have some relevant differences.
>But the CSP process I gave didn't model *what* was written to the file.
>Hence, it cannot make these sorts of distinctions.
Well, I'd call that a flaw of the model. I'd suggest that if we get
misleading conclusions about whether Alice has the authority, maybe
it's because of flaws in the model, not because of problems with my
notion of authority. If we correct the flaw in the model, then I think
my notion of authority does not generate misleading conclusions about
>I hope that we would not need to get into this level of detail to
>accurately capture authority.
We don't need to get into that level of detail to draw conservative
upper bounds on authority, but if we want to calculate authority exactly
(not just an approximation or upper bound on it), then in this case I
think these subtle details affect the outcome.
>From what I gather you're saying:
>In a system of Alice and Bob, Alice can affect Bob (via the light).
>In a system of Alice, Dave and Bob, Alice can no longer affect Bob (via
>the light) because the scenarios in which she does, and does not, act
>cannot be distinguished (by Bob).
>The fundamental problem I have here is that the addition of a another
>subject that cannot affect Alice in any way has *reduced* her
>Let's assume that neither Alice nor Dave should be able to cause Bob to
>see the light turn on -- that Bob seeing the light turn on is a "bad"
>thing, Now this "bad" thing can be precipitated (weasel word to avoid
>saying "caused") by both Alice and Dave, since Alice and Dave can both
>push the button. By your definition, we would conclude that this system
>is still secure, since neither of them can cause the light to turn on.
I think I see where the apparent paradox is coming from. It
looks like neither Alice nor Dave has the authority to cause the
light to turn on, yet turn on it does.
But I'd frame it another way. I think that authority depends upon
where we draw the boundary around what part of the system we're
analyzing and what is left unanalyzed -- i.e., what part of the system
we consider fixed and what part we consider "free to change".
There are four cases:
(i) Dave if fixed and Alice can be changed. (i.e., we've examined
the code of Dave but not the code of Alice)
(ii) Alice is fixed and Dave can be changed. (i.e., we've examined
the code of Alice but not Dave)
(iii) Neither Alice nor Dave is fixed. (i.e., we haven't looked
at the code of either of them)
(iv) Both Alice and Dave's behavior is fixed. (i.e., we've
examined both of their code)
In case (iv), I'm not sure it makes sense to even talk about
authority. What will happen, will happen; there is no room for
any other alternative.
In case (iii), both Alice and Dave have authority to turn on the
It's cases (i) and (ii) where it gets tricky. In case (i), I'd
say Alice doesn't seem to have the authority, since no matter what
she does, the light will be turned on either way. In case (ii),
I'd say Dave doesn't seem to have the authority, since no matter what
he does, the light will be turned on either way.
This illustrates that, if you accept my notion of authority, then
the amount of authority depends upon what parts of the system we
consider fixed and what we don't. Is that too weird to be useful?
Am I thinking about this in the wrong way? I don't know. That's
why it would be nice to have a good definition of authority that we
can all agree upon. It's hard to see what that would look like, though.
More information about the cap-talk