[cap-talk] Concening entry "ambient authority" in Wikipedia

[Toby Murray]

On Fri, 2009-06-05 at 11:13 +0200, Matej Kosik wrote:
> Fellows,
> 
> I have some doubts concerning the article "ambient authority" in
> Wikipedia.

So do I. However, I'm not sure how it should be changed. Ambient
authority is never clearly defined in any of the capability literature.

I can come with two definitions for "ambient authority".

1. A program's ambient authority is the subset of its authority that it
shares with all other programs in the computer system within which it
resides. 
2. A program's ambient authority is the subset of its authority that it
can exercise without having to present any form of credential, such as a
capability, password, certificate etc.

I don't like defn 1 because it doesn't fit with most uses of the term
"ambient authority". I don't like definition 2 because it seems to
coincide with "identity-based authority" which is more descriptive and
has the advantage that it cannot be confused with sense 1 above.

Any definition should avoid relying on the object-capability model, I
think. The object-capability model is an object-oriented model of
computation in which the second kind of ambient authority is (almost*)
eliminated. All sane object-capability systems ensure that all ambient
authority of the first kind above is benign.

* I say "almost" because the ability to build Non-Delegatable
Authorities (NDAs) allows the reintroduction of ambient authority in
object-capability systems.

As a side note, I realised recently that NDAs can be built in /any/
object-capability system. One simply uses randomly generated nonces that
are rescinded upon presentation to simulate EROS/KeyKOS style "resume"
keys. The argument then proceeds exactly as in the case of EROS which is
discussed in the last paragraph of Section 1 in
http://www.comlab.ox.ac.uk/people/toby.murray/papers/NDA.pdf .