[cap-talk] the value of non-delegatable authority?

Toby Murray toby.murray at comlab.ox.ac.uk
Mon Jan 14 20:52:10 EST 2008 

On Mon, 2008-01-14 at 01:35 -0800, Jed Donnelley wrote:
>  Let me check
> my understanding by feeding back my thoughts in this next paragraph:
> 
> On first thought it seems to me that under the above circumstances
> what Bob delegates to Dennis is exactly the *permission* that Bob
> has.  Namely, the reply capability only provides Bob only with the
> permission to invoke Carol once.  However, it seems that Bob has
> greater authority than just that one permission by virtue of being
> invoked again after his reply capability has been exercised (to
> invoke Carol by NDA).  This greater authority has indeed not been
> delegated to Dennis.  Bob only has this authority by virtue
> of the NDA service having its capability to Bob and re invoking
> that capability to Bob after every return.  As you say, it would
> require cooperation by Bob to allow Dennis the authority to
> make further invocations of Carol through NDA.
> 
> Does the above sound right to you?

Yes

<snip to main event>

>  a person with
> a clearance does have the authority to delegate the permission
> to read any documents that they can themselves read to anybody
> with whom they can communicate - however, they have a
> responsibility (duty) not to do so.  That is, they are trusted
> not to do so.
> 
> Does the above phrasing make sense to you?  If not, what if
> I substituted the word "power" for "authority" in the above?

Yes

 A security-cleared person can delegate the right to read a particular
classified document to someone else by simply passing them the document,
or making a copy of it and passing them the copy. They have
the /authority/ to do so, because the rules of the game don't prevent it
from occurring. But as you say, they have a /responsibility/ not to,
i.e. they are trusted not to perform this action that they have the
authority to perform.

However, we're talking about different authorities here.

While a cleared individual can delegate the permission to read a
particular document, they cannot delegate their clearance to another
individual. Similarly with the NDA, Bob can pass on the permission to
another to invoke  Carol *once*, but cannot pass on his general right to
be invoked by NDA each time it is used. Hence, I still argue that
clearances are an example of non-delegatable authority. 

I'd also argue that most ID cards and other mechanisms implement a form
of (or an approximation to) the NDA. I can't allow someone else to use
my ID since it has my picture on it. I can proxy for them by choosing by
buy alcohol or whatever on their behalf, however, using my ID. Modulo
breaking the ID system, I cannot share my authority to use my ID with
another. Hence it is a non-delegatable authority.

The fact that all IDs implement this paradigm indicates that
non-delegatable authority has been embraced the world over.

(Thinking about how one would implement a drivers' license in the
object-cap model was what actually led me to the NDA pattern btw.)


>   I believe
> there is a confusion between responsibility (trust and perhaps policy)
> and "authority" - which for me is closer to power. 

That depends on the authority that we are referring to (e.g. the
authority to read a particular document vs. my security clearance, the
former is delegatable while the latter is not.) Hence I still argue that
the world is full of examples of non-delegatable authority.


>  That is, if
> the available mechanisms allow me to take an action myself or to
> enable an action by another then I say I am "authorized" to
> take or delegate that action.

Let us not confuse delegation and proxying in the real world. (e.g.
passing on a transferrable credential that allows the holder to buy
alchohol (delegation) vs. buying alcohol on someone else's behalf
(proxying).

>   I may be trusted not to delegate
> it, I may be considered responsible for any such delegated
> action if I so delegate, but I am *authorized* to do so.

I'm not totally comfortable with the use of "authorised" above. I'd
prefer the term "not prevented" since the everyday use of "authorised"
is differenet to its use here.


<snip the rest on which we mostly seem to agree>


Toby

More information about the cap-talk mailing list