[cap-talk] "ambient authority" on wiki.erights.org
David Wagner
daw at cs.berkeley.edu
Tue Jun 23 21:13:27 EDT 2009
Karp, Alan H wrote:
>I have been treating a static, immutable, authority carrying variable as
>part of every object's creation state, not different in any essential
>way from an argument passed to its constructor.
It seems different to me, in some essential ways:
* With a global authority-carrying variable, you can't prevent some
objects from receiving this authority. If it is passed as an
explicit argument to the constructor, you can.
* With a global variable, the default is to make this authority
available to all code. If it is passed as an explicit constructor
arg, then the default is to not provide this authority.
These differences seem important. I realize this doesn't necessarily
imply that a global authority-carrying variable must count as ambient
authority, but at the same time I don't buy the argument that it is the
same as a constructor arg and hence isn't ambient authority.
Maybe it's worth going back to the justification for introducing the
concept of ambient authority. Ambient authority is dangerous because (a)
it tends to lead to excess authority and violations of POLA, (b) it can
lead to confused deputy vulnerabilities. I think an authority-carrying
global variable does tend to lead to excess authority and POLA violations;
but it doesn't seem to lead to confused deputy vulnerabilities. Does
that sound right? Did I miss something?
More information about the cap-talk
mailing list