[cap-talk] Ambience

[Steve Witham]

>From: Matej Kosik <kosik at fiit.stuba.sk>
>
>I have some doubts concerning the article "ambient authority" in
>Wikipedia. Do you think it contains a useful text?

Useful but could be improved.  Besides the text as a whole, the first
sentence or two (which aren't stellar in this case) is especially
important to orient the newcomer to the topic in familiar if
imperfect terms.

>Imagine that you do
>not know what this term means, do you think that the text will help you
>to understand it? I have some doubts.

To me it seems to give some idea of the problem.

>Cannot it simply state that:
>
>"A subsystem is said to have *ambient authority* when, if we want to
>determine its authority, we cannot rely on rules defined by
>object-capability security model."

The problem is that the ocap model isn't familiar to the reader.
But, slightly later you could say, "Ridding systems of ambient
authority could be seen as a chief tool of the object-capability
security model."

>From: Toby Murray <toby.murray at comlab.ox.ac.uk>
>
>I can come with two definitions for "ambient authority".
>
>1. A program's ambient authority is the subset of its authority that it
>shares with all other programs in the computer system within which it
>resides.
>2. A program's ambient authority is the subset of its authority that it
>can exercise without having to present any form of credential, such as a
>capability, password, certificate etc.

You seem to be trying for a definition that you could use to prove
theorems with, which is not the job of the intro lines of a
wikipedia entry.  To me, ambient authority has always seemed a
fairly fuzzy term that made sense in context.  The problem is to
give an idea of the general issue.  Like, ahem,

"Ambient authority is the set of powers that an object, process, program
or subsystem gets by default by running in some context, as opposed to
powers specifically granted to the object in connection with its job."

>From: "Rob Meijer" <capibara at xs4all.nl>
>
>I would try to avoid using any specific level of granularity in such a
>definition.

I tried to take that advice above...yet the poetry suffers...

>From: "Dave Chizmadia - Gmail" <davechiz at gmail.com>
>
>Could I suggest the following wordy, but precise defintion? ...
>
>     "The term 'Ambient Authority' refers to an access control
>     design pattern in which one Actor (the Initiator) is not
>     required to explicitly designate the specific authority by
>     which it requests an action by another Actor (the Target).

Words like Actor, Initiator, Target, Access
Control Information, Inter-Actor Communication system, ACI the
acronym, none of these are right for a wikipedia article, at least
not in the first 66 lines of one.  Also, although it is one,
calling it a design pattern (or antipattern) seems like dressing
it up distractingly (which patterns often are) -- ambient
authority is just a problem situation.

Computer security is not like graph theory or organic chemistry
where there is a settled, boring jargon.  Or if there is, it's
not appropriate for a paradigm war.  Take it to the streets!

>     Ambient Authority is (nearly?) inevitable in systems where

This is getting into advocacy.  It's not that you're not right,
or that you're not explaining what you mean.
In a wikipedia article-- especially in a definition-- you write
what everyone agrees
with, or at least, what no reasonable non-convert will disagree
with.  Sometimes you have to say, "capability-security advocates
say that...", but that's still treading the edge.

>     the access control check is made at the Target by evaluating
>     access control rules over ACI (Access Control Information)
>     provided by the Initiator (or on behalf of the Initiator by
>     its access control infrastructure).

I find this confusing (I find a lot of the conversation on this
list confusing) even though I consider myself a convert and hang
out here a lot.  Weak-minded unmotivated unwashed = *your audience*.

Wikipedia succeeds for me when I can find out about a field that
I'm a complete newb in.  The best pages sort of walk you into
deeper and deeper water as you go, letting you judge how far you
have to go before stopping and working at it, then how much farther
before you have to give up.

>From: "Rob Meijer" <capibara at xs4all.nl>
>
>I like to compare the user based filesystem access control at the process
>level of granularity to an equivalent patern at the class/object level of
>granularity.
>
>1) A UNIX process has ambient authority to a filesystem as a result of, and
>    limited, by the user id that the process runs under. This authority is
>    implicitly shared with UNIX process running under the same user id.
>2) An object A has ambient authority to an (static member) object B as a
>    result of, and limited by the fact, that the object is an instance of a
>    particular class C. This authority is implicitly shared with other
>    objects of the class C.
>
>I thus feel the implicit sharing of 1/2 is much more relevant to a
>definition than the ACI component of 1.

[Yeah, implicit sharing!] and

>     In example 2, the ACI is class membership. The type system, which
>is acting as the access control infrastructure, checks the class of
>the Initiator instance object and renders a decision about access on
>that basis. In a strict OCap system, that check isn't part of the
>access control model, since possession of the Target's object
>reference is both necessary and sufficient to invoke the desired
>method, but is part of a type safety model, since invocation won't
>be allowed to proceed if the class membership check fails.
>
>>  I thus feel the implicit sharing of 1/2 is much more relevant to a
>>  definition than the ACI component of 1.
>
>     The implicit sharing of example 1 is on the basis of shared ACI in
>the form of a common userId, while the implicit sharing of example 2
>is on the basis of shared ACI in the form of a common class. Both
>examples are covered by my definition.

I like this angle, although I think "ACI" is best left unmentioned
and undefined, at least till later on.

>From: Mark Miller <erights at gmail.com>
>
>I would define an ambient authority system as one in which "If a
>requesting entity requests an action that it is permitted to perform,
>then the action is allowed."

MarkM, this is too clever by, er, if I understood it I could tell
you the ratio.  Plus, isn't ambient authority a property of a system
rather than the system itself?

>By contrast to a designated authority
>system, in which "If a requesting entity requests an action that is
>permitted by the subset of its permissions that it explicitly brings
>to bear on the action, then the action is allowed." This formulation
>also has the right paradoxical sense

Even knowing it's a pun I can't figure the earlier sentence out.
Maybe not an intentionally pun, but all I can say is, think of
how you would make a pun out of it, or phrase it very ironically,
and go in the opposite direction!

As for the later sentence, although it may cover a broader range
of situations in a still-precise way, it's only good as a
definition if well set up (more below).

>-- one can see why it was so easy
>to think that ambient authority was a sensible architecture.

Yes, good to show why the mistake is understandable & a little
subtle.  But it's another too-much for a definition.

TO SUMMARIZE

Start with an easy definition.  Some discussion and
examples.  Definitions of related terms as discussion brings them
up.  Once it's motivated like this you can offer a more refined
definition.  Even alternative definitions are okay after enough
discussion.  Don't try to pack information
into the definition, especially the first one.  Once the info is
given in discussion, you can refer to it in later definitions.

Anyone who wants to tackle this, I would say read the whole
article first and try to figure out what structure it has and
what-all it's trying to cover.

  --Steve
P.S. *Actual conversation* just before I started reading
this thread:
Me:        [Turning on kitchen lights]  What's the Latin?  Fiat lux?
Housemate: What's wrong, the light here over the sink isn't
            good enough for you?  You can't see to clean dishes?
Me:        It's a matter of my mood.  I need AMBIENCE!
Housemate: [scoffs] This is an ambience-free zone.  Thankfully.
  --
I kid you not.