[cap-talk] Capabilities giving up control?

Jed Donnelley jed at nersc.gov
Fri Jan 18 20:29:38 EST 2008 

On 1/18/2008 2:44 PM, Mark Miller wrote:
> It's the "and how Alice exercises her permission" clause that makes
> authority much narrower than the transitive closure of permissions.

and regarding:

> I use "authority" to mean the effects one can cause. If Alice has
> permission to write to file C and Alice gives Bob an object that
> enables Bob only to cause even numbers to be written to C, then Bob
> has the authority to cause even numbers to be written to C. How would
> you describe this authority in term of a transitive closure of
> available permissions?

Right.  The permission that Alice grants is less than the
permission that Alice has.  Perhaps "transitive closure"
isn't an appropriate term?  We have:

Carol -> Bob -> Alice
              \
               > Zeda

Alice provides a resource service to Bob.

Bob makes use of that service through the
permission granted from Alice and provides a
somewhat restricted service to Carol -
through a permission that Bob grants
to Carol, perhaps augmented with a
permission granted from Zeda, etc.

I think we are all talking about the same
thing and just discussing how to describe
it.  By using the phrase "transitive closure"
I definitely didn't intend to exclude any
filtering by active participants along the
communication chain(s).

The access that Alice grants to Bob is
limited by the service that Alice will
actively provide to Bob.  That is what
I consider to be the "permission" that
Alice grants to Bob.

The access that Bob grants to Carol, by the
different token, is limited by the service
that Bob actively provides to Carol.
Bob can't provide Carol more permission
to access Alice's object, though of course
Bob can combine various resources such
as the permission granted from Zeda to
make up that which he presents to
Carol.  Isn't the result the "permission"
that Bob grants to Carol?

If you want to distinguish between Carol's
"authority" and the "permission" that she
gets from Bob (as has seemed to me to be
a point that you feel strongly about MarkM),
how do you do it?

What I have understood to be your point
about "authority" (vs. permission) is that
authority includes any means for attaining
a result, however indirect.  However, isn't
a subject limited in that it can only exercise
its available permissions in attempting to
get a result (exercise authority)?  Is the
main distinction between permission and
authority that a subject can exercise
multiple permissions in an effort to
achieve a result and thus exercise its
greater "authority" (e.g. what's been
termed "amplification"?)?

As we've discussed, I admit that I don't really
understand the value of some of these distinctions.
I'd like to.  Feel free to call me if that
might be a quicker way to achieve the
result or drop it if that seems best.  To me
the terminology is less important than
the concepts, though I do chafe a bit when
technical system terminology (e.g. the term
"authority" in this case) conflicts with
typical human social understand (where in
the human social sense it means something
more like is legally allowed than simply
being able to effect a change) and seems
to result in confusion.

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list