[cap-talk] "ambient authority" on wiki.erights.org

Fri Jun 19 14:27:37 EDT 2009

On Fri, June 19, 2009 18:45, Karp, Alan H wrote:
> Rob Meijer wrote:
>>
>> This example might be useful to get our standpoints more clear.
>> I hope the above is an example we can all agree uses ambient authority.
>> Lets make a few modified versions and see how we think about those.
>>
>> class FileSystem {
>>   static map<string,FileObject> mFiles;
>>   static openFile(string filename) {
>>      return mFiles[filename];
>>   }
>> }
>> function copy_ab(){
>>   File in  = FileSystem::openFile("a");
>>   File out = FileSystem::openFile("b");
>>   out.write(in.read());}
>> }
>> main(){
>>  copy_ab();
>>  return;
>> }
>>
> This example and the next two versions make a point different from the one
> I was making.  In my example, Alice provides the filenames on the command
> line, which is the point at which she is using ambient authorities.  In
> your examples, the filenames are used in a place where the program can
> explicitly specify whether the file is opened for read and/or write.  In
> other words, these programs explicitly designate the authorities they are
> using, which does not fit my definition of ambient authority.
>

Lets look at it from the other side for a moment. Please excuse my
definitions of more terms, it is just to get things cleared up, as the
existing terminology seems a source of miscommunication.

Using capability rules for obtaining permissions, we could say that for
any subject, its EXPLICIT authority is that part of its authority that
originates in permissions that were either:

1) Passed explicitly at construction time (constructor parameters)
2) Passed explicitly ( method invocation parameters )
3) Bound to objects created by the subject itself.

Any additional authority we could classify as IMPLICIT authority.

Second, if we look at object designation between subjects, than we can
clearly distinguish AUTHORIZING object designations and NON-AUTHORIZING
object designations. You could map this to authority by looking at the
authority used by the subject that receives the designation in order to
access the object. If the receiving object uses an authorizing designation
we can say the authority when used is DESIGNATING authority. All other
uses
of authority could be called NON-DESIGNATING authority.

The basic examples often used to describe ambient authority seem to bundle
implicit authority with non-designating authority and explicit authority
with designating authority, making the current confusion quite
understandable.

from this it appears that to you approximately
  NON-DESIGNATING authority == AMBIENT authority
while to me approximately
  IMPLICIT authority  == AMBIENT authority.

Does this analysis make any sense, or am I again misinterpreting your view?