[cap-talk] Capabilities giving up control?

David Hopwood david.hopwood at industrial-designers.co.uk
Fri Jan 18 17:49:00 EST 2008 

Mark Miller wrote:
> On Jan 18, 2008 8:51 AM, David Hopwood
> <david.hopwood at industrial-designers.co.uk> wrote:
>> Jed Donnelley wrote:
>> [...]
>>> I really think the sense in which we have been using
>>> "authority" on this list (sorry MarkM) is an entirely
>>> different concept.  Namely the closure of what sort
>>> of access can be obtained by using all available
>>> permissions.  Sadly, I don't think this fits very
>>> well with the human social notion of "authorize",
>>> e.g. (from:
>>> http://www.thefreedictionary.com/authorize ):
>>
>> Please let's not redefine terms in mid-argument. MarkM's choice
>> of "authority" to mean the transitive closure of available
>> permissions will do fine for the time being; it's concise, useful,
>> and no less well-chosen than many other technical terms.
> 
> I use "authority" to mean the effects one can cause. If Alice has
> permission to write to file C and Alice gives Bob an object that
> enables Bob only to cause even numbers to be written to C, then Bob
> has the authority to cause even numbers to be written to C. How would
> you describe this authority in term of a transitive closure of
> available permissions?

I was insufficiently precise. The transitive closure of permissions
starting from a given subject gives an upper bound on the authority
available to that subject.

In the example, Bob has permission to invoke the "even number writer
to C" object (let's call it EvenWriter). This gives him the authority
to write even numbers to C (in some format defined by EvenWriter).
Note that if EvenWriter is upgradeable, however, there is the
possibility of it being changed to do something other than write
even numbers. So the analysis that Bob has less authority (via its
capability to EvenWriter) than the permission to write anything to C
is conditional on EvenWriter's current and future behaviour.

This is consistent with what Jed says in his reply to you, so I think
there's a fair degree of concensus on this meaning. My point was that
we should stick to it for this discussion, and not use "authority" or
"authorize" to mean anything else -- dictionary definitions notwithstanding.

-- 
David Hopwood

More information about the cap-talk mailing list