[cap-talk] Comments on a paper - resource "claims"
Jed at Webstart
donnelley1 at webstart.com
Tue Jul 5 21:51:31 EDT 2005
I just returned from a month's vacation driving coast to coast, etc.
There are quite a number of posts that I'd like to comment on, but
with limited time I'll start with this one.
While I think the problem Alan posed is interesting, I have a different
opinion from Nick's both about the nature of the problem (e.g. it's
fluidity) and potential solutions - mostly from our experience with
similar issues at LLNL and with the OS work we did there.
From my perspective the main concern is who pays for scarce
resources. In our work at LLNL when dealing with resources that
have ongoing costs such as storage and processing we associated
an "account" - with it's own capability - with the resources when they
are allocated. I believe the notion of a "claim" in resources such as
storage or processing is too fluid to be dealt with effectively either as
Alan hopes or as Nick suggests. To illustrate consider what it means in
terms of "claim" to share writable access to a file with more than one user.
Who has the "claim" to the storage? I think one can argue that any
or none do. It gets even more complex as the resource becomes less
physical and more logical - e.g. a directory (consider an insert only
capability to a directory shared among multiple users) or a database.
In such cases I believe the model of access and of what actual costs
accrue can become arbitrarily complex. Rather than head down that
rat hole I suggest the simpler approach of accounting for the costs
of the base resource and allowing access to it in any potentially
complex manner that seems desirable (e.g. DB table restrictions,
directory access controls, etc., etc.). Any time the costs of the base
resource stop being paid for - the resource disappears, regardless of
the logical sharing at a higher level (consider processor resources in
I believe this approach, while still with some complexities (e.g. dealing
with account capabilities) makes the problem more tractable than trying
to deal with "claims" on sub portions of resources or managing bearer
certificates for "scarce resources". Just a personal opinion.
At 08:05 PM 7/2/2005, Nick Szabo wrote:
>Alan describes an important problem. Capabilities don't help solve it, and
>trying to keep track of "who is responsible" is an invitation to exploding
>complexity and dependence on trusted third parties (i.e. security holes).
>Instead, the answer is scarce objects:
>Scarce objects are objects that like physical objects are finite and
>excludable, and force the client to either conserve or consume (use
>up) their own rights to use the object.
>One good tool for implementing scarce objects is:
>The attribute of these "bearer certificates" that is crucial for
>scarce objects: they are use-once or use-N-times tokens.
>Alan's problem illustrates why it is the scarce object model, rather than
>the capabilities model, that is crucial for implementing the Agorics vision.
>More generally for online commerce, scarce objects are crucial for
>creating an online world that responds properly to the intuitions we
>traditionally bring to contracts, property, and economics.
>At the far opposite on the intuitive and mental transaction cost spectrum is
>the proposal Alan mentions -- a bizarrely complex system of recording
>and (it is more presumed than satisfactorily explained) analyzing
>and making decisions based on the delegation chain.
>-- Nick Szabo
>Alan Karp wrote:
> > First of all, if there's no delegation, the issuing party is to blame.
> > For example, if Alice has 100 GB of disk space and grants Bob and Carol
> > a claim on all of it for a week, Alice has only herself to blame if she
> > has to reject one of the claims.
> > Let's say that Alice grants Bob a claim on 50 GB and Carol the same. If
> > Bob now grants David and Edward claims on 50 GB, and Carol, David, and
> > Edward all submit their claims, Alice can figure out that Bob is
> > responsible for the over subscription by keeping track of the capability
> > (SwissNumber) she gave to each party.
> > In order to illustrate what I don't know how to do, we need to add
> > another level of delegation. Say that Alice has 100 GB of disk space.
> > She grants Bob the right to claim 50 GB for one week and Carol the same.
> > Bob grants David the right to claim 25 GB for that week and Edward the
> > same. So far, so good. Now, Edward grants Fred and George each the
> > right to claim 25 GB. Carol submits her claim and gets a lease on the
> > space; David and Fred do the same. When George submits his claim, Alice
> > must reject it, but she wants to know if Bob or Carol is responsible for
> > the oversubscription, and Bob wants to know if it's Fred or George.
> > SwissNumber tracking can answer Alice's question, but how does Bob know
> > whether to blame David or Edward?
>cap-talk mailing list
>cap-talk at mail.eros-os.org
More information about the cap-talk