[cap-talk] "ambient authority" on wiki.erights.org

[Sam Mason]

On Fri, Jun 19, 2009 at 08:34:06AM +0200, Rob Meijer wrote:
> Now lets see if we reduce this further:
> 
> class Copier {
>   static FileObject sFileA;
>   static setSourceFile(FileObject a) {
>      sFileA=a;
>   }
>   void copy(FileObject fileb) {
>      sFileA.seek(0);
>      fileb.write(sFileA.read());}
>   }
> }
> main (FileObject a,FileObject b, FileObject c){
>   Copier::setSourceFile(a);
>   copy_from_a = new Copier();
>   copy_from_a.copy(b);
>   copy_from_a.copy(c);
> }
> 
> Yes, looks like it. We move the shared authority carrying state from
> global scope to the copier static scope, and essentially all relevant
> parts of the previous examples remain, we still have an example of ambient
> authority.

I'm confused as to the point of this example; are you saying that
ambient authority exists or does not in this example?

I'd say we do not as your FileObjects will contain authority information
and hence the program can't "go wrong".  It's obviously possible for
it to contain a bug and try writing to a, but I'd expect this to fail
because a would be opened for reading only.

It's possible to analyze "within" the program at which point the
variables a, b and c are ambiently available, but this doesn't seem to
confer ambient authority as they are all running as the same subject.

-- 
  Sam  http://samason.me.uk/