[cap-talk] "ambient authority" on wiki.erights.org

David-Sarah Hopwood david-sarah at jacaranda.org
Sun Jun 14 09:46:26 EDT 2009 

Rob Meijer wrote:
> On Fri, June 12, 2009 23:05, Karp, Alan H wrote:
>> Rob Meijer wrote:
>>> In what you define as ambient authority, the term 'ambient' seems to me
>>> to be a property of the permissions rather than of the authority.
>>
>> Yes, but using a permission can result in some authority being exercised,
>> so I can get away with using the word "authority."  Perhaps "ambient
>> permission" would be a better term, but you go to Wikipedia with the
>> vocabulary you've got.
> 
> Than apparently this is the core of our disagreement on this subject.
> Your view is that ambient authority is only that authority that originates
> from ambient permissions.
> 
> My interpretation of the term ambient authority would next to authority
> originating from ambient permissions also include authority originating
> from static (implicitly shared) designating permissions.

Suppose that a system has static permissions, granting significant
authority, that could be accessed by any process. Such a system is
clearly not an object-capability system. However, if it supports any
form of reified permissions, then it may still be possible to write
unconfusable deputies in that system -- for example, if that deputy
does not *actually* use any of the static permissions, even though
the system does not prevent it from doing so.

That is why I/we think the Wikipedia article is correct in describing
"ambient authority" primarily as a way of exercising permission (and
therefore authority) rather than primarily as a category of systems.
If, and only if, the deputy used the static permissions, then it would
be using ambient authority (because it would be using only a name to
specify which static permission is accessed).

In a pure ambient authority system, in which there is no support for
reified permissions at all, writing unconfusable deputies is not even
possible. Tyler's "ACLs don't" paper essentially proves that (not just
for ACLs).

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the cap-talk mailing list