Communicating Conspirators

[Mark S. Miller]

At 07:20 AM 11/10/99 , Ralph Hartley wrote:
>You are making the logical error of assuming that because your
>notation can not express a difference that there is no difference.

Hi Ralph, I find it hard to imagine how you think I'm making that mistake.  
On that very page I say:

>This unenforceable prohibition is the only case that ACLs can express but 
>capabilities cannot. However, neither ACLs nor any force in the universe can 
>prevent what is here prohibited, so this extra expressiveness only gives the 
>users a false sense of security -- misleading them about what inabilities of 
>the other players they may count on.

I think I'm pretty clear here that ACLs can express this & capabilities 
cannot.  I am not claiming that it's unenforceable *because* capabilities 
cannot express it.  Rather I'm saying that, *since* it's unenforceable, for 
other reasons, it's fortunate that capabilities can't express it, and 
unfortunate for ACLs that they can.  It is a bug, not a feature, for a 
security system to allow the expression of unenforceable prohibitions.  The 
resulting confusion makes everyone less safe.

Or did I misunderstand what error you think I'm making?

>There are two unstated assumptions that you appear to make.
>
>     All communication is two way and continuous.

Not unstated at all.  Part of the definition of this situation, 
Communicating Conspirators, is "Bob and Mallet are properly in 
communication".  As opposed to Confinement 
http://www.erights.org/elib/capability/confinement.html , for which the 
corresponding part of the definition is "Mallet and Bob are not supposed to 
be able to communicate."  Perhaps you missed the orienting page 
http://www.erights.org/elib/capability/delegations.html setting up and 
distinguishing the four situations?

>     All powers can be described as the ability to send or receive a
>message.

Within the electronic world, I see no alternative.  I suspect this is where 
our real disagreement lies.

>The first assumption is the less problematical one. Depending on how
>it is violated it can result in a great number of different cases
>which may or may not be describable in terms of capabilities, but it
>does not change the results of the question you pose.

Violating the first assumption -- by trying to prevent various kinds of 
communication between Mallet and Bob -- does in fact have many cases, which 
to my mind are the various cases of confinement.  However, I have no ideas 
whether the distinctions I would make among confinement cases maps at all to 
the cases you have in mind.  Since you agree it does not bear on the matter 
at hand, we can defer this.

>The other assumption is more important. Consider the following
>scenario.
>
>Alice wishes to allow Bob, but not Mallet (who is in communication
>with Bob) to have sex with her. Unfortunately Bob's character may not
>be as good as she thinks; he could actually be working for Mallet who
>has designs on Alice.

If you are speaking of the physical world, sure.  If Alice has the lights 
on, she can tell with adequate probability who has walked into her bedroom.  
Bob and Mallet between them do not have adequate technology for Bob to 
enable Mallet to use his appearance and smell (or whatever other 
authentication cues Alice uses) in order to allow Mallet to have sex with 
Alice while Alice thinks it is Bob.

However, this isn't the physical world we are talking about here -- it is 
the world inside of computation.  The corresponding analogy might be phone 
sex.  Bob would be the handsome stupid fellow with the small nose.  Mallet 
would by Cyrano De Bergerac passing messages to Bob for Bob to read.

>Clearly the capability model has no way of dealing with, or even
>properly talking about, this situation. Fortunately ACLs can handle
>this easily.

ACLs can *express* this easily.  I said this explicitly.  My claim is that 
this prohibition is unenforceable.  Nothing has any way to handle it, but 
ACLs have a way to pretend to handle it.  In the electronic world, Alice 
cannot authorize a person, she can only authorize computation supposedly 
acting on behalf of that person.  For purposes of this argument, we can even 
drop the "supposedly".

In an ACL system, if she authorizes computation operating on behalf of Bob's 
principle, and Bob's principle is not prevented from putting Bob in 
communication with Mallet, then *how* can an ACLs system actually prevent 
Bob from enabling Mallet to do whatever Alice enabled Bob's principle to do? 
Until you explain *how* this proxying of access is preventable, in an ACL 
system or any other system, you haven't challenged anything I said.

>I can easily think of numerous (though less graphic) situations where
>I might want to grant a non-transferable power. This is why the word
>"Non-transferable" appears in so many contracts. Contrary to common
>belief, lawyers are not paid to litigate meaningless distinctions
>(though sometimes they do).

I have no doubt that preventing delegation among communicating conspirators 
is something many would want -- including myself! -- if one could find a 
meaningful definition of some such thing that could actually be prevented.  
If you have one, I'd be delighted.  Please reread carefully my two 
descriptions, of the allowed and of the prohibited situations.  Since you 
are claiming there is a meaningful distinction to be found -- in the 
electronic world -- either you can explain to me why these two are not 
equivalent, or you can offer alternate descriptions.

>Of course if powers are restricted to consist only of the ability to
>communicate, then there is no distinction since communication is
>transitive. But this restriction rules out a vast part, perhaps a
>majority of things that security is needed for.

Isn't it the case that whatever powers a computational entity has, it 
exercises those powers by issuing some kind of invocation or command?  Is 
not that invocation or command described by information that is somehow 
communicated to an underlying system that can bring it about?  For example, 
a process under an operating system exercises powers by performing a system 
call.  This communicates only information across the user/system boundary.

If Bob can exercise his authorized powers only by communicating information 
to the operating system, why can't Mallet adequately instruct Bob also by 
communicating only information to Bob?  If Mallet can instruct -- only by 
communicating information -- Bob to issue the invocation or command Mallet 
is interested in, how is that different, for Mallet's purposes, from Mallet 
issuing the invocation or command himself?  

Of course, it's possible I've completely misunderstood you.  If so, I hope 
this message gives you enough understanding of my confusion that you can 
clarify.


         Cheers,
         --MarkM