[e-lang] A PictureBook of Secure Cooperation

Fred Spiessens fsp at info.ucl.ac.be
Wed Mar 30 11:55:36 EST 2005

On 30 Mar 2005, at 14:08, Mark Miller wrote:

> Fred Spiessens wrote:
>> I reread the slide and I see now that you mean what you said: the 
>> revoker does not provide any "actual" file authority. I disagree: 
>> revocation-authority should still be considered actual authority over 
>> the file, as it can not only influence who can access the file but 
>> indirectly also the content of the file.
> A very interesting, and somewhat counter-intuitive, consequence of our 
> definition of authority. I think this shows a strength of our 
> definition rather than a weakness -- the counter-intuitive issue 
> highlighted here is a real issue, which is otherwise easily missed.


> However, it also makes me itch for some new distinction intermediate 
> between permission and authority, in order to enable MarcS to say 
> clearly and precisely what he was originally trying to say.

With "actual file authority", I assume MarcS refers to the general 
effects that are caused by (transparently mediated) reading and/or 
writing to that file.  We could call that "use-authority over the 
file", and when the mediation is not completely transparent, we could 
say that the use-authority is partial.  Note of course that 
"use-authority over a subject" is not restricted to effects on that 
subject. Use-authority over a subject is what you get if you can 
(possibly indirectly) exert permissions to that subject.

The distinction is useful as long as we are aware that sometimes Bob 
can have a strict superset of the use-authority over Alice without 
having to use (directly or indirectly) a single permission to Alice.  
Manipulating many people into doing (or not doing) things might be more 
powerful an ability than the ability to do it all yourself, even when 
you cannot give (direct or indirect) "orders". The revoker example 
shows that use-authority over a file is not even necessary to influence 
the content of the file. Of course, all authority eventually stems from 
(somebody having) use-authority.

in BNF style:
authority = use-authority | meta-authority | both
use-authority = the authority to cause the effects that could also be 
caused by exerting permissions
meta-authority = the authority to influence authority


Fred Spiessens
Researcher Software Security
Université catholique de Louvain
fsp at info.ucl.ac.be

More information about the e-lang mailing list