[cap-talk] "ambient authority" on wiki.erights.org

David-Sarah Hopwood david-sarah at jacaranda.org
Mon Jun 15 11:22:03 EDT 2009 

Rob Meijer wrote:
> On Mon, June 15, 2009 01:22, David-Sarah Hopwood wrote:
>> Rob Meijer wrote:
>>> I feel a definition of "ambient authority" should be described as a
>>> "subset" of the authority of an actor.
>>
>> You might feel that, but that does not seem to be the concept that
>> Mark Miller and Dean Tribble coined the term "ambient authority" to
>> describe.
> 
> Possible, but I would doubt anyone, especially including these two should
> be happy if ambient authority did end up to mean something that increased
> the ongoing confusion about permissions versus authority.
> 
> Lets for a moment introduce the term 'ambient permissions' in order to get
> to the core issue.
> 
> I would think, given your above statements, that you would feel the
> following might be a fair definition of "ambient authority":
> 
> 1) "The subset of the authority of an actor that it derives from its
> ability to use ambient permissions in a non designating way."
> 
> Where I would feel the following might be a more useful definition (thus
> including static permissions):
> 
> 2) "The subset of the authority of an actor that it derives from its
> ability to use ambient permissions. (either in a designating or non
> designating way)."

I don't understand what distinction you want to make by "designating" vs
"non-designating".

In all systems I'm aware of, the object(s) that are to be directly acted
on by a request are designated in that request. The difference at issue
is whether the request has to explicitly specify the permission(s) to
access each such object (either paired with, or combined inseparably with
the corresponding designator). "Ambient" means that it doesn't.

Note that this is a property of the request. For example, a system
could have one "ambient request" API in which a request succeeds if the
subject has any applicable permission [*], and another "non-ambient request"
API, in which the permissions must be specified explicitly. If the
permissions (and therefore authority) that could potentially be exercised
via each API were the same for a given subject, then it would not be
possible in such a system to view the "ambience" as being a property of
any particular permission or authority.


[*] This is not just a theoretical possibility; L4 is a reified permission
    system that is not (by the definitions I prefer) a capability system,
    because it uses such an ambient API. I am not sure whether L4 also has
    a non-ambient API.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the cap-talk mailing list