[cap-talk] "ambient authority" on wiki.erights.org

[Karp, Alan H]

Rob Meijer wrote:
> 
> This example might be useful to get our standpoints more clear.
> I hope the above is an example we can all agree uses ambient authority.
> Lets make a few modified versions and see how we think about those.
> 
> class FileSystem {
>   static map<string,FileObject> mFiles;
>   static openFile(string filename) {
>      return mFiles[filename];
>   }
> }
> function copy_ab(){
>   File in  = FileSystem::openFile("a");
>   File out = FileSystem::openFile("b");
>   out.write(in.read());}
> }
> main(){
>  copy_ab();
>  return;
> }
> 
This example and the next two versions make a point different from the one I was making.  In my example, Alice provides the filenames on the command line, which is the point at which she is using ambient authorities.  In your examples, the filenames are used in a place where the program can explicitly specify whether the file is opened for read and/or write.  In other words, these programs explicitly designate the authorities they are using, which does not fit my definition of ambient authority.
> 
> class Copier {
>   static FileObject sFileA;
>   static setSourceFile(FileObject a) {
>      sFileA=a;
>   }
>   void copy(FileObject fileb) {
>      sFileA.seek(0);
>      fileb.write(sFileA.read());}
>   }
> }
> main (FileObject a,FileObject b, FileObject c){
>   Copier::setSourceFile(a);
>   copy_from_a = new Copier();
>   copy_from_a.copy(b);
>   copy_from_a.copy(c);
> }
>
In this example, which is similar to MarkM's "cat <in >out" example, Alice passes open file handles into the program, giving her the opportunity to specify which authorities to use for each argument.  Hence, this example does not meet my definition of ambient authority.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp