[cap-talk] "ambient authority" on wiki.erights.org

David-Sarah Hopwood david-sarah at jacaranda.org
Fri Jun 12 11:36:14 EDT 2009 

David Wagner wrote:
> Matej Kosik  wrote:
>> [...] would be relevant if "ambient authority" was somehow inherently
>> connected with "excess authority" which is not true.
> 
> I don't know whether it's necessarily true in principle, but it seems
> to be true enough in practice: in practice, ambient authority seems to
> lead to excess authority.  For instance, ambient authority means that
> each part of the program you're running will have full authority (the
> union of all the authority that any part might ever need).  For many
> parts of the program, this is more than the part needs.

Yes, although "leads to" does not mean that the concepts are the same.

Note that in principle, it could be possible to create an ambient
authority system in which subjects as well as permissions were very
fine-grained.

The reason why systems with identity-based access control mechanisms [*]
don't do this, is that it would be completely unmanageable. A user or
administrator can't be expected to configure permissions for each
instance of a program, let alone instances of subprograms; there are
just too many of them.

The only practical way to solve this is by not requiring explicit
configuration of permissions. That's what a capability system does,
by automatically conveying permissions along with (and ideally,
inseparable from) the corresponding designator.

You could *partially* solve the excess authority problem by dynamically
adding permissions to the set granted to a process as they are needed.
However that would not solve the confused deputy hazard, and it would
not allow dropping permissions. It would be also be no simpler
than a capability system, so there's no good reason to do it. However,
"Netscape capabilities" worked essentially this way, as a result of
a misunderstanding of how capability systems are supposed to work.


[*] Usually coinciding with ambient authority, since if you don't
    reify permissions then there is little other choice but to base
    access checks on some function of the requestor's identity.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the cap-talk mailing list