Subject: Re: [e-lang] "Capability Myths Demolished" => ambient authority revisted

From: Dean Tribble <tribble@e-dean.com> · Date: Thu, 05 Dec 2002 19:48:02 -0800

Having coined the term "ambient authority"  (possibly having unconsciously 
stolen someone else's coinage :-), I want to jump in here :-)  Note that I 
have not been entirely able to keep up with the rapid pace of this 
conversation, so I might have missed something....

>So, I am currently leaning toward using "lambda capability" versus "ambient
>capability" when I talk to audiences that might include a computer security
>expert, or that might talk to a security expert when they leave the meeting.

I think I first started using the term "ambient authority" system when 
Netscape was bandying about their bogus "capability" security model.   The 
key thing was to distinguish the explicit designation of which authority to 
wield in a request (i.e., object capabilities) from the implicit use of 
authority from the environment.  The problem, though, is that you can take 
foundation with secure object capabilities, and build and ambient authority 
system from it.  Indeed, one of the minor security architecture bugs 
identified in the review of the DarpaBrowser was that they had made exactly 
that mistake.  Java made that mistake.  The question for security is what 
kind of *system* is it.  The above systems and ACLs are all simply "ambient 
authority systems", and they suffer all the flaws of ambient authority 
systems (confused deputy, poor evolution of security relationships, poor 
assurance of security properties, poor support for abstractions for 
managing security relationships, etc.).

The alternatives are "object-based security systems" or perhaps "strong 
capability systems"  (as opposed to the "weak" ones that "fell into the 
ambient authority trap" -- ooh I like that phrase).  Strong capabilities 
are simply encapsulated object references, and I like to leverage that 
equivalence as much as possible.

Hence, I consider "lambda" to be too theoretical and distracting.   It 
sometimes has the feel of being impractical because of the theoretical 
baggage.  It's also not clear to me that it has any actual equivalence to 
capabilities--certainly Lisp 1.5 did not have capabilities.

Objects are much more familiar.   You can point out how completely 
unnecessary and destructive it was to add lots of mechanisms to Java, for 
example, when simple patterns of objects result in much higher security 
with much higher efficiency.
So the terms that I use are:

Terms I like: 
- ambient authority - an authority in a system that is implicitly used when 
a request requiring the authority is made.

- ambient authority system - a system in which authority is not explicitly 
wielded during requests to use the authority. 

- strong capability, object capability, encapsulated object reference - a 
capability. 

"Ah yes, Lampson started from strong capabilities,  but fell into the 
ambient authority trap and ended up designing yet another ambient authority 
system, instead of the kind of high-performance, secure object system we 
are talking about..."

PS Whenever I talk about "wielding authority",  I always hear Norm Hardy 
saying that phrase :-) 

_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang