[cap-talk] "ambient authority" on wiki.erights.org

Mon Jun 15 04:20:09 EDT 2009

On Mon, June 15, 2009 09:09, David Wagner wrote:
> Rob Meijer wrote:
>> there are actually four possibilities for what ambient authority would
>> include:
>
> I wonder if you may be approaching this from the wrong end.  You are
> starting with the phrase, and trying to come up with a concept to go
> with the name.  That feels backwards to me.
>
> Let me articulate the insight that Dean & Mark had, as I see it.
> Their insight was to identify a particular pattern (anti-pattern,
> actually) that is common to many systems and is harmful to security.
> This was a useful and important concept.  Given that this is an important
> concept, it's useful for it have a name.  The specific name chosen is
> arguably less important than that it have *a* name.  The concept itself
> is more important than the name we use to refer to it.
>
> It sounds like you are starting from the phrase and trying to come up
> with a definition of that phrase, trying to decide which definition
> seems like it goes best with that phrase.  I'd argue you should be
> starting from the concept, since that's the important thing.  The words
> "ambient authority" are not of any particular interest in themselves,
> apart from the concept/pattern that Dean & Mark identified as important.
>
> If you want to argue that this concept should go under a different name,
> well, you're free to.  Personally I think it's a bit late for that at
> this point, but you're free to disagree.  But, does it really matter?
> A phrase like "ambient authority" isn't going to make any sense to anyone
> outside our community until it is explained, anyway, so why does it matter
> which mysterious phrase we use for this unfamiliar but important concept?
> I'd say "ambient permission" is just as mysterious.

I don't want to argue that the concept that Dean & Mark identified should
go under an other name. I argue that we should not use a to narrow
definition of this concept that is misaligned with the linguistic
decomposition of the term, while the concept can just as well be defined
in a way that is aligned with the decomposition of the term.

I have always interpreted "ambient authority" in that broad sense, that
includes but is not defined by the narrow sense that David & Allan
interpret it to mean.

>From this interpretation I have, when doing presentations on POLP/POLA,
used OO languages use of static (authority carrying) variables as an
example of ambient authority at the programming language level of
granularity.

If indeed the narrow and misaligned interpretation of their concept was
the intended meaning of  Dean & Mark, than I have been given a completely
wrong example.

Given that I trust Dean & Mark to not to have used the term authority when
they meant permission, and there are possible narrow but aligned
interpretations of ambient authority that would still exclude my static
variables example, I tried to list the possible aligned interpretations of
the bandwidth at what they may have intended the term to apply to the
concept, thus to find out what 'we' mean by ambient authority, as
apparently my interpretation is something much broader than that of Allan
and David.

I think we should give Dean & Mark sufficient credit not to have meant
permission when they meant authority, thus dismissing any definition that
is a definition of a type of permission.

After this, we need to look at some border cases that apparently are
subject to different interpretation with respect to if they should be
classified as ambient authority or not:

A Static authority (as in static authority carrying variables in OO)
B Authority through ambient available proxies.
C Authority through designating proxy permission to a proxy with ambient
  authority.

These border cases are outside of the first concern of  Dean & Marks
findings, but are absolutely of the biggest importance when trying to
arrive at a definition that can be used without high probability of
misunderstanding. If I interpret ambient authority as I currently do to
include A and B but not C, and Allan interprets it to not include A or B,
but to include C, than we are very likely not to be able to come to a
definition of ambient authority that we both agree on, even if we agree on
what ambient authority means in the original settings for what it was
first described as a concept.

Rob