[cap-talk] Concening entry "ambient authority" in Wikipedia

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Mon Jun 8 05:29:08 EDT 2009

Mark Miller wrote:
> I would define an ambient authority system as one in which "If a
> requesting entity requests an action that it is permitted to perform,
> then the action is allowed." By contrast to a designated authority
> system, in which "If a requesting entity requests an action that is
> permitted by the subset of its permissions that it explicitly brings
> to bear on the action, then the action is allowed." This formulation
> also has the right paradoxical sense -- one can see why it was so easy
> to think that ambient authority was a sensible architecture.

I think that what is missing from this picture is how finely permissions can
be described in the given system.  For example, I don't see any reason why a
traditional Unix kernel can not be interpreted under an object-capability
glasses, as the object-capability model does not require that separable
interfaces are actually separated.  In the same spirit we only need to use a
very relaxed understanding of "bringing permissions explicitely to bear on an
action" to come to similar conclusions about ambient authority.

Without attempting a formal definition, I think that ambient authority
actually is used here to describe systems in which the POLA design principle
is rejected.


More information about the cap-talk mailing list