[cap-talk] Definition of "authority"? r.e. technical term for computer systems

[Jed Donnelley]

On 1/18/2008 5:54 PM, Karp, Alan H wrote:
> Jed wrote:
> 
>> Is the
>> main distinction between permission and
>> authority that a subject can exercise
>> multiple permissions in an effort to
>> achieve a result and thus exercise its
>> greater "authority" (e.g. what's been
>> termed "amplification"?)?
>>
> No, they are different concepts.  Amplification
> means needing two authorities, such as to the
> sealed box and the corresponding unsealer.

I believe I understand this much.  However,
I'm struggling for a definition for Authority
distinct from the set of available permissions.

> Authority is the ability to cause things to happen.

Understood, but still...

> That means a permission is an authority, but there
> are authorities that aren't permissions.
> 
> The example I like is a web server.  There is an ACL
> on the server's machine granting the process running
> the server permission to read the site's home page
> from disk.  There is no permission granting me permission
> to read that page.  When I enter the URL for that page
> in my browser, I get to read it.  Clearly then I have
> authority to read the page.  What has happened is that
> I used my permission, embodied by knowledge of the
> server's URL, to ask the server for the page.  The
> server used its permission and behavior to present
> the contents to me.  It is this characteristic of
> combining permission and behavior that is the distinguishing
> characteristic of a non-permission authority.

<rather rambling - not suggested reading unless you
have a clear idea of the "authority" definition and
can perhaps help me understand it:>

Let me see if I follow this.  In this case "you" have
permission to communicate openly on the Internet.
That means that in principle you can read the Web
page in question (typing monkeys).

However, you seem to be suggesting that even though
you may be able to access this page by chance, in
fact it requires you to exercise your permission to
communicate on the Internet in a very specific way.
Only by knowing that way (knowing the URL) can you
exercise your full "authority"?

Let me see if I can understand better with a physical
analogy.  I'm a baby sitter.  The home owner gives
me permission to enter the house.  I'm in.

Once in I can do all sorts of things.  I can turn
on the faucet in the kitchen, turn on the television,
etc.

What about eating that chocolate bar in the back of
the cupboard in the kitchen?  The fact that I am in
the house and have access to the cupboard somehow
suggests that I have access to the chocolate.  There
is nothing preventing me from accessing it.  Do I
have "authority" to eat the chocolate?

In the human social sense, if I was given a
blanket privilege like "eat anything you find",
then I would say that I have "authorization"
(from the owner) to eat the chocolate, otherwise
not.

What about in the sense that we are using the
term "authority" for computer systems.  Perhaps
the chocolate might be "hidden" in the cupboard.
Do I have the authority to eat it or not?

If somebody told me where the chocolate was
(e.g. the child I'm babysitting), then I might
have received the knowledge of how to exercise
my permission to enter the house in order to
achieve the chocolate eating that would then
demonstrate that I had the "authority" to eat
the chocolate?

I guess I should stop here.  This is all very
puzzling to me.  I hope somebody can shed some
light on it.  From my perspective there are
all sorts of privileges (permissions?) that
can derive from a single permission.  I don't
consider these distinct enough to consider needing
a distinct term to describe the sum total of
what might be considered "sub permission"s.

Maybe somebody can point me to some documentation
that I can read to get up to speed on this?  Perhaps
there is some place in MarkM's thesis that will help?
I've looked at the first dozen or so uses of "authori*"
and I haven't made any progress.

Perhaps this sentence can help:  "In practice, programmers
control access partially by manipulating the access graph,
and partially by writing programs whose behavior attenuates
the authority that flows through them."

This seems to be close to the key.  It sounds suspiciously
like MarkM's even number writing example:

> I use "authority" to mean the effects one can cause. If Alice has
> permission to write to file C and Alice gives Bob an object that
> enables Bob only to cause even numbers to be written to C, then Bob
> has the authority to cause even numbers to be written to C.

In that case I would say that the object that Alice gave
to Bob only granted him the "permission" to write even
numbers into the file.  Not?  Alice clearly didn't give
Bob permission to write openly to the file.  That
permission, which Alice has, was attenuated - as MarkM
suggests - so as to result in the reduced ... I would
say "permission" that Bob was given.  Would others say
the "authority" (that Bob was given?)?  If so, what
permission was Bob given?

Sorry for the struggle.  I just don't seem to be getting
it.  MarkM suggests that Chapter 8 in his thesis focuses
on this topic.

(soldiering on...)  Perhaps this will get to the nut of
the issue.  In Chapter 8 in MarkM's thesis he goes through
a discussion as above and ultimately makes this statement:

"As our description ascends levels of abstraction, the
authority manipulated by the extensions of one level
becomes the permissions manipulated by the primitives
of the next higher platform.  Permission is relative to
a frame of reference.  Authority is invariant."

Whew.  I believe if I could understand the above sentence
I might be able to 'get' this distinction between permission
and authority.

Sorry I can't do better.  Hopefully somebody 'out there' is
screaming now that it's so obvious and can explain it to me.

--Jed  http://www.webstart.com/jed/