From: Ka-Ping Yee <>
Replying To: Jonathan S. Shapiro <>
Date: Mon, 2 Dec 2002 02:39:13 -0600 (CST)
Subject: Re: [e-lang] Commentary on Wallach's "Extensible Security Architectures for Java"

Jonathan Shapiro wrote:
> Mathematically, the paper appears basically correct, but its
> conclusion has almost nothing to do with the math

Mark Miller replied:
> I don't remember any math in the Wallach paper.  Perhaps you're thinking of
> [Chander01] Ajay Chander, Drew Dean, John Mitchell, "A State Transition
> Model of Trust Management and Access Control", 14th IEEE Computer Security
> Foundations Workshop.

Jonathan Shapiro replied:
> I am indeed! Thank you for the correction.

Okay,  now i'm interested in knowing how you feel about those comments
if you look at them again in the context of the Wallach paper instead
of the Chander paper -- do they now make sense?  I'd like to know if
you still find problems or errors in thinking there.

                        *       *       * 

Chris Hibbert wrote:
> [Ping] said "communicating conspirators cannot be prevented from
> delegating authority in any system".  As I read Ping's comments,
> that's exactly what he meant.

Jonathan Shapiro replied:
> Thank you for the correction. I think I got trapped by a convention of
> the existing literature, and maybe Ping wasn't following that
> convention. When the literature speaks of "delegating authority", it
> generally means "transferring a token that conveys authority" as opposed
> to the type of de facto delegation that we have been discussing. Given
> this context, Ping's words become open to misinterpretation in the way
> that I did.
> If this issue wasn't widely misunderstood, Matt Bishop's papers on de
> facto vs de jure authority transfer wouldn't have needed to exist.
> Ping: My apologies if I misread you. Just so we all understand, which
> way *did* you mean?

I did intend the meaning Chris is thinking of: that is, if A can send
messages to B,  then A can get B to exercise B's authority to fulfill
A's wishes.  That is the functional definition of delegation, isn't it?

I guess i don't really understand why any other definition is necessary. 
Why should it matter whether your system has a formal representation of
the act of delegation, when the issue is whether or not delegation can
actually happen? zooko ben

But you seem to be saying there is a difference, when you refer to
Matt Bishop's papers.  Could you explain why this difference matters? 


-- ?!ng

e-lang mailing list