[E-Lang] Authority -- what is its dual?

Mark S. Miller markm@caplet.com
Wed, 17 Oct 2001 09:46:59 -0700 

I fully agree with Jonathan, but my terminology habits are different, so I 
need to clarify some things.


At 07:49 AM 10/17/2001 Wednesday, Jonathan S. Shapiro wrote:
>> As I understand it, authority is defined as the ability to influence
>> the world.  Sensory capabilities are then regarded as not conveying
>> authority.  Information in general is also regarded as not conveying
>> authority.
>
>This is incorrect. In the context of information systems, authority means
>the ability by a subject to perform one or more operations on an object.
>These operations can either change the state or *detect* the state of the
>object. The first is what you seem to mean by "influence".
>
>Sensory capabilities are most definitely regarded as conveying authority.
>They convey the authority to perform certain read operations.

"operation on an object" only makes sense given a different use of "object" 
than used by oo and E programmers -- one that distinguishes "object" from 
"data".  In EROS (and in the concurrent logic languages, and in one of the 
Actor languages), there is such a primitive distinction, and we wouldn't 
think that "3 + 4" requires authority beyond that needed to occupy memory 
and use CPU time.  In particular, neither "3" nor "+" (depending on your 
view of "3 + 4") is a capability that an object may be denied.

In E, and I believe in W7, the objects in the initial universal scope, which 
all others objects have available by default, are transitively immutable, 
and convey no authority to affect or be affected by the external world.  One 
might consider them morally equivalent to data (except that they may be 
encapsulated and selfish).  A Sensory key is certainly not immutable, and it 
does convey authority to be affected by the external world.

Note: At 
http://www.erights.org/elib/capability/ode/ode-capabilities.html#ref-only , 
the Ode may have contributed to confusion on this subject (sorry):

>All Authority Accessed Only by References. The authority an object has to 
>affect the world outside of itself should be exactly represented by the 
>references it holds. All primitives for interacting with the external world 
>must be embodied by primitive objects, and one must obtain references to 
>these primitive objects in order to exercise the associated primitive 
>functions. Anything globally accessible must therefor be transitively 
>immutable, otherwise it would constitute an unconditional source of 
>authority not controlled by the reference-passing rules

I will change this to "affect or be affected by", at which point I once 
again stand by the definition of capability security as presented in the 
Ode.  (Or, given recent the correspondence with David Wagner, I'll stand by 
this as at least a definition of lambda-capabilities.)  I find the Ode's 
definition superior to the traditional memory-oriented definitions derived 
from Lampson, which have caused untold damage.


>> (This seems to assume a strong capability system, and ignore synergy
>> effects, so that if a chunk of information or a sensory capability is
>> used with another capability to unlock some new authority, this
>> authority is regarded as being conveyed by this latter capability and
>> not by the information or sensory capability.
>
>A better model is to imagine that the an operation on the unlocking
>capability has been used to amplify the first authority to produce a third,
>new authority.

Yes.  See in particular the distinction between "having" and "knowing" 
explained on http://www.erights.org/elib/capability/dist-confine.html

>> A consequence is that a capability to find out the current time
>> doesn't carry authority (so `authority to read the clock' is
>> oxymoronic).
>
>It certainly does. It conveys not just the ability to determine the time,
>but the ability to engage in covert communication more generally with high
>precision!

 From E's point of view, it also conveys the ability to escape determinism, 
which is why it enables read covert channels.  (Jonathan, I find your 
language a bit strange, since it does not convey the ability to write covert 
channels.  This is generally not deniable, but if I system succeeds in 
denying it, it would still be denied to an object that can read the clock.)

Btw, this very example is covered in Marc Stiegler's "Introduction to 
Capability Security" at 
http://www.skyhunter.com/marcs/capabilityIntro/javaex.html

Mark, you may also be confusing the issue of "conveying authority" with the 
issue of counting as a hole wrt a confinement check, since the distinction 
you explain matches exactly the confinement-hole issue.  Confinement cares 
only about communication out, not in, so a capability to read the clock can 
be perfectly Sensory.  In your title, you ask for the dual.  The dual of 
Confinement is Durability 
http://www.cap-lore.com/CapTheory/KK/durability.html , and the dual of 
Sensory would seem to be something that can communicate out but not in (a 
write-only information channel).


        Cheers,
        --MarkM