[cap-talk] the value of non-delegatable authority?

Toby Murray toby.murray at comlab.ox.ac.uk
Thu Jan 17 02:21:05 EST 2008 

On Thu, 2008-01-17 at 06:08 +0000, David Hopwood wrote:
> Toby Murray wrote:
> > On Tue, 2008-01-15 at 05:29 +0000, David Hopwood wrote:
> >>
> >>> While a cleared individual can delegate the permission to read a
> >>> particular document, they cannot delegate their clearance to another
> >>> individual.
> >> Yes they can, by acting as a proxy.
> > 
> > I said "they cannot *delegate* their clearance". Being able to proxy is
> > totally different. 
> > 
> >> If human Alice has access to a document, she can always give human
> >> Bob access to it. 
> > 
> > Of course. But she cannot give Bob her *clearance*.  She cannot
> > instantaneously give Bob the right to read every document that she ever
> > could. Bob can't gain a clearance from Alice (assuming Alice doesn't
> > work for a vetting agency, of course).
> 
> By proxying, Alice can instantaneously give Bob the ability to read every
> document that he wants to read (and the same ability to search for documents
> that she has). This has a similar effect to giving Bob the same clearance,
> except that an audit trail will show Alice, not Bob, as having accessed
> the documents.

It is similar, but there are some major differences.

Alice must collaborate on each document Bob fetches when Alice is
proxying.

Instead, were Alice able to delegate her clearance to Bob, then Bob
would only require her participation during this single act of
delegation, and never again. 

I'd argue that were Alice to give bob *her* clearance, that Bob's
accesses would show as having been authorised by Alice's clearance.
Hence, the accesses may well show up as having been made by Alice,
depending on the mechanics of the logging system of course.


> Alice's clearance refers to what set of documents she is intended
> (by whoever assigns clearances) to be able to read. It does not refer to
> her actual authority; it defines a lower bound on each cleared principal's
> authority.

This depends on the terms in which you choose to quantify authority.
What do you mean by "It does not refer to her actual authority." The
meaning of this statement is hard to define without a definition of
authority.

Taking the standard definition of authority (all of Alice's permissions
-- the objects/subjects she can access directly -- plus all of the
effects Alice can cause) Alice's clearance is merely a proxy for her
authority. But so is "the set of documents that Alice can access", so I
don't quite see what you mean.

More information about the cap-talk mailing list