[cap-talk] "ambient authority" on wiki.erights.org

Sun Jun 14 17:55:17 EDT 2009

On Sun, June 14, 2009 15:46, David-Sarah Hopwood wrote:
> Rob Meijer wrote:
>> On Fri, June 12, 2009 23:05, Karp, Alan H wrote:
>>> Rob Meijer wrote:
>>>> In what you define as ambient authority, the term 'ambient' seems to
>>>> me
>>>> to be a property of the permissions rather than of the authority.
>>>
>>> Yes, but using a permission can result in some authority being
>>> exercised,
>>> so I can get away with using the word "authority."  Perhaps "ambient
>>> permission" would be a better term, but you go to Wikipedia with the
>>> vocabulary you've got.
>>
>> Than apparently this is the core of our disagreement on this subject.
>> Your view is that ambient authority is only that authority that
>> originates
>> from ambient permissions.
>>
>> My interpretation of the term ambient authority would next to authority
>> originating from ambient permissions also include authority originating
>> from static (implicitly shared) designating permissions.
>
> Suppose that a system has static permissions, granting significant
> authority, that could be accessed by any process. Such a system is
> clearly not an object-capability system. However, if it supports any
> form of reified permissions, then it may still be possible to write
> unconfusable deputies in that system -- for example, if that deputy
> does not *actually* use any of the static permissions, even though
> the system does not prevent it from doing so.

So far I think I can follow you.

> That is why I/we think the Wikipedia article is correct in describing
> "ambient authority" primarily as a way of exercising permission (and
> therefore authority) rather than primarily as a category of systems.

At this step you lost me. To me neither "a way of exercising permissions"
nor "a category of systems" could fit a definition of "xxxxxx authority".

I feel a definition of "ambient authority" should be described as a
"subset" of the authority of an actor.
Something like: "The ambient authority of an actor is the subset of its
total authority that ...............................".

The most important question is what subset exactly.

Important in this definition is that we are talking about authority not
permissions. So we also may need to consider the transitive properties of
ambiance if there are any. That is, ambient communication channels to
proxy objects that have non ambient authority and non ambientchannels to
proxies
that use ambient authority.

The most pressing issue however is I feel the classification of authority
that originates from designating but ambient (static) permissions.

I feel the step permission to authority is easy to make to quickly, so
any "and therefore authority" is a line we should look at a bit sceptically.