[cap-talk] Definition of "authority"? r.e. technical term for computer systems
Karp, Alan H
alan.karp at hp.com
Sun Jan 20 19:00:43 EST 2008
Jed wrote:
>
> In the above you say, "Bob has permission to talk to Alice."
> To me this is a meaningless thing to say about the permission
> that Alice granted to Bob. Capabilities always grant the
> permission to communicate to the server of the capability.
> From my perspective the meaningful thing to say about the
> "permission" Alice granted to Bob is that Alice granted Bob
> the 'permission' to write even integers to the file.
>
Then say that Bob has a capability to Alice. A capability is a permission to communicate to an object, so it amounts to the same thing. Also, Alice did not have to grant the capability to Bob; he could have gotten it from anyone with the capability to Alice. Most importantly, Alice has no idea which object (we're talking about objects here, not people) is making the request.
>
> If you disagree, why did you say that "Alice has permission
> to write even and odd integers into the file."? To be
> consistent, shouldn't you say that Alice has permission
> to talk to the file server and that Alice has the
> 'authority' to write integers to the file?
>
See. You do understand the distinction. Of course, then we could say that the fileserver has permission to talk to the driver, the driver has permission to talk to the I/O channel the disk is on, etc.
>
> If I were to look at the details of the capability that
> Bob has from Alice, I might see that it has the "even"
> number access right vs. another capability from Alice with
> the "odd" number access right. If both "access right"s
> were turned on then I suppose you could say that Alice
> granted to Bob both the permission to write even
> integers and the permission to write odd integers.
> In that case would you say that Bob has the "authority"
> to write any integers - namely the sum of the two
> 'permission's?
>
An object capability grants permission to invoke any public method of the object. In this case, Alice has a writeEven(int i) method that writes to the file only if the argument is even. If Alice had another method writeOdd(int i), then Bob would have authority to write odd integers, too.
>
> I thought the idea of 'authority' as MarkM uses it in
> his thesis was intended to be deeper than that. Namely
> that it relates to ultimate actual authority vs.
> directly granted intended authority.
>
MarkM?
>
> Suppose, for example, there was a bug in the file
> server that allowed one to write ASCII text to it
> in some obscure invocation. In that case if something
> about the invocations that Alice granted to Bob might
> result in Bob being able to write some ASCII text
> to the file, would Bob have the "authority" to
> write ASCII text even though he nominally only
> was granted 'permission' to write even integers?
>
Bob has permission to invoke Alice's methods. The behavior of those methods determines which authorities Bob has. If Alice's method has a bug, Bob may get some authorities the programmer did not intend him to have.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list