[cap-talk] Are static references ambient authorities? (Formerly "ambient authority" on wiki.erights.org)
Karp, Alan H
alan.karp at hp.com
Mon Jun 15 20:00:36 EDT 2009
When I get confused, as I am now, I retreat to the simplest example I can come up with. In this case, it's the following.
Alice wishes to copy the contents of file A to file B and has read/write permission for both of them. Unbeknownst to her, the copy function is implemented as copy(x,y){x.write(y.read());}. In an ambient authority system, Alice says copy(a,b) and ends up with the contents of file B in file A. In a non-ambient authority system, Alice can specify which permissions to use and says copy(r:a,w:b). The request fails, which is better than clobbering file A. This example is consistent with the definition of ambient authority that I proposed.
Now, let's say that Alice is an object in a program having four static variables, ra, wa, rb, wb embodying those permissions. When Alice says copy(ra,wb), the request fails as in the non-ambient authority example. That's why I say static variables do not fit my definition of ambient authority.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list