[cap-talk] "ambient authority" on wiki.erights.org
Karp, Alan H
alan.karp at hp.com
Tue Jun 23 11:59:12 EDT 2009
Rob Meijer wrote:
>
> from this it appears that to you approximately
> NON-DESIGNATING authority == AMBIENT authority
> while to me approximately
> IMPLICIT authority == AMBIENT authority.
>
> Does this analysis make any sense, or am I again misinterpreting your view?
>
Yes, that summarizes the confusion nicely. My definition is exactly the former.
I have been treating a static, immutable, authority carrying variable as part of every object's creation state, not different in any essential way from an argument passed to its constructor. I like the distinction you make between explicit and implicit authority. What I don't see is how a security analysis can use the difference between an implicit authority and one that is explicitly passed to the constructor of every object.
I don't want to equate implicit with ambient because we use the confused deputy as an example of the dangers of ambient authority. Consider Norm's classic confused deputy. Object Alice was constructed by passing it a read facet to foo.c and a write facet to foo.o. Object Bob was constructed by passing it a write facet to log.txt. Even if the read facet to log.txt is in a static, immutable variable, there is no confused deputy because Alice must explicitly designate the permissions associated with each argument to the cc() method.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list