On Fri, Jul 4, 2014 at 10:59 PM, Jonathan S. Shapiro <[email protected]> wrote: > If I'm holding a reference (a capability), and I want to know what > authority it conveys, the answer is that the authority conveyed is the TRC > of the permissions conveyed by the reference that I hold. This is very > basic.
Yes, technically, but because of rights amplification, you really want to consider the authority provided by a set of capabilities. But yes. >> Whenever you know you can exercise A (somehow) to get B, and exercise >> B (somehow) to get C, you can exercise A (by doing both) to get C. At >> no point does that require knowing which operations are the atomic >> building blocks of security-relevant operations... > > Matt, you aren't getting it here, and this is really basic axiom stuff. > authority = TRC(permission). I understand that this isn't a language > person's way to think about things. It is THE conceptual foundation for > thinking about information flow security issues correctly. And as with > mathematics, the terms exist as they do for good reasons. To be more precise, all I meant to point out is that in general there are multiple notions of permission whose TRC are the same, so that they're all valid ways of thinking about the situation, if what you really care about is authority. This is just a consequence of TRC not being invertible. But I'm starting to realize that this is probably irrelevant in practice. Because... >> I didn't mean to promote any particular approach, just to point out >> that there are different ways of building up the same authority >> structure from primitives, > > You are misusing the term permissions. There are no primitive permissions. > If you hold a reference, the permissions conveyed by that reference are the > operations that the reference directly permits. Period. Full Stop. It hasn't > got a thing to do with whether those operations are primitive. You're right, that's much simpler than what I thought it meant. I am embarrassed. >> so the primitive permissions are not part >> of the essence of the system. I'm all for useful fictions about what >> the primitive operations are; that's what abstraction's all about. > > The primitive operations damned well are part of the essence of the system. > Structure those wrong and you get an unsecurable system. Now that I'm using your definition of "permission", I can't even tell what we were arguing about here. _______________________________________________ bitc-dev mailing list [email protected] http://www.coyotos.org/mailman/listinfo/bitc-dev
