Subject: Re: [e-lang] Commentary on Wallach's "Extensible Security Architectures for Java"

From: Ben Laurie <ben@algroup.co.uk> · Date: Mon, 02 Dec 2002 14:18:45 +0000

Ka-Ping Yee wrote:
> Jonathan Shapiro wrote:
> 
>>Mathematically, the paper appears basically correct, but its
>>conclusion has almost nothing to do with the math
> 
> 
> Mark Miller replied:
> 
>>I don't remember any math in the Wallach paper.  Perhaps you're thinking of
>>
>>[Chander01] Ajay Chander, Drew Dean, John Mitchell, "A State Transition
>>Model of Trust Management and Access Control", 14th IEEE Computer Security
>>Foundations Workshop.
> 
> 
> Jonathan Shapiro replied:
> 
>>I am indeed! Thank you for the correction.
> 
> 
> Okay, now i'm interested in knowing how you feel about those comments
> if you look at them again in the context of the Wallach paper instead
> of the Chander paper -- do they now make sense?  I'd like to know if
> you still find problems or errors in thinking there.
> 
>                         *       *       *
> 
> Chris Hibbert wrote:
> 
>>[Ping] said "communicating conspirators cannot be prevented from
>>delegating authority in any system".  As I read Ping's comments,
>>that's exactly what he meant.
> 
> 
> Jonathan Shapiro replied:
> 
>>Thank you for the correction. I think I got trapped by a convention of
>>the existing literature, and maybe Ping wasn't following that
>>convention. When the literature speaks of "delegating authority", it
>>generally means "transferring a token that conveys authority" as opposed
>>to the type of de facto delegation that we have been discussing. Given
>>this context, Ping's words become open to misinterpretation in the way
>>that I did.
>>
>>If this issue wasn't widely misunderstood, Matt Bishop's papers on de
>>facto vs de jure authority transfer wouldn't have needed to exist.
>>
>>Ping: My apologies if I misread you. Just so we all understand, which
>>way *did* you mean?
> 
> 
> I did intend the meaning Chris is thinking of: that is, if A can send
> messages to B, then A can get B to exercise B's authority to fulfill
> A's wishes.  That is the functional definition of delegation, isn't it?
> 
> I guess i don't really understand why any other definition is necessary.
> Why should it matter whether your system has a formal representation of
> the act of delegation, when the issue is whether or not delegation can
> actually happen?

One obvious difference is that if you break the channel between A and B, 
then in one case A can no longer exercise B's authority,  but in the 
other it can.

Cheers, 

Ben. 

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang