[cap-talk] Concening entry "ambient authority" in Wikipedia
David-Sarah Hopwood
david-sarah at jacaranda.org
Sat Jun 6 12:54:22 EDT 2009
Matej Kosik wrote:
> Fellows,
>
> I have some doubts concerning the article "ambient authority" in
> Wikipedia. Do you think it contains a useful text? Imagine that you do
> not know what this term means, do you think that the text will help you
> to understand it? I have some doubts.
>
> Cannot it simply state that:
>
> "A subsystem is said to have *ambient authority* when, if we want to
> determine its authority, we cannot rely on rules defined by
> object-capability security model."
>
> Does everybody agree?
No. The object-capability model is not the only model that avoids
ambient authority. I agree with Mark Miller's definition quoted below.
> This definition will then be as comprehensible as the "object-capability
> security model" but I think this is fair because these terms are "mostly
> complementary". Improved definition of the latter improves the
> definition of the former.
>
> I think that it is also fair to expect that people which are not
> interested in object-capability security model won't be interested in
> using the term "ambient authority".
It is nevertheless important to distinguish "non-ambient authority"
from the object-capability model, because the latter is much more
specific.
Matej Kosik wrote:
> Mark Miller wrote:
>> I would define an ambient authority system as one in which "If a
>> requesting entity requests an action that it is permitted to perform,
>> then the action is allowed."
>
> If we take this definition, then would it cover both:
> - subsystems with ambient authority
> - subsystems with non-ambient authority
> (where we can rely on object-capability security model)
> ?
>
> In both cases holds that:
>
> "If a requesting entity requests an action that it is permitted
> to perform, then the action is allowed."
>
> because the phrase
>
> "... an action that is permitted to perform ... "
>
> has different meanings in both cases.
No, it has the same meaning. In the ambient authority system, if
an action is permitted to an entity then *any* request to perform that
action will succeed. In the non-ambient authority system, only requests
that include the correct authorising information will succeed.
(Strictly speaking, this authorising information does not have to be
a capability, let alone an object-capability.)
The action is permitted in the same sense -- that is, there exists
some request that the entity could make that would cause the action
to be carried out -- in both cases.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the cap-talk
mailing list