[cap-talk] In Defense of Identities - birthday reflection

Jed Donnelley capability at webstart.com
Fri Dec 8 02:38:45 CST 2006 

At 06:45 AM 12/7/2006, Jonathan S. Shapiro wrote:
>On Thu, 2006-12-07 at 00:22 -0800, Jed Donnelley wrote:
> > Let's see.  Users can't run programs and subjects can't delegate.
> > What can one do in this 'Open'CM?
>
>Jed: the sarcasm isn't helpful, and it doesn't reflect well on you.

Sorry.  I wasn't intending to be sarcastic.  What I was referring
to is what seems true to me that, as I said later in that message,
in "a system without actors (subjects - you say no programming
above) I'm afraid that much of my reasoning about delegation
doesn't apply.  There's nothing to do delegation.  I can see how
object-capability semantics doesn't make sense in such a system."

>OpenCM is neither a language system nor an operating system. It is an
>object store. It isn't the purpose of OpenCM to run code. It is the
>purpose of OpenCM to serve as an archival store.

I understood that much from my reading.  CVS, Subversion, OpenCM
(with perhaps more of a cross network focus?)?

>Because no non-TCB code executes in such a system, delegation is much
>less interesting and leakage within the system is not much of a concern.
>We can't stop what users may do outside the system, but we can very
>directly track accountability for what they do within the system.

Since you track what 'users' do, it seems you must identify them
or somehow be given a user identity when requests come in.  This
sounds to me like a straight forward identity based access control
service.  Perhaps in any description you could focus on how the
OpenCM model differs from such a basic approach.  I'll be interested
to hear how the 'user' notion works across organizational boundaries
as I read more about the OpenCM model:

>I will send out a description of the OpenCM model and its justification,
>but right now it is more important to attend my son's 2nd birthday
>party.

Wow, two years old.  There's a lot more to the world of course than
computing, but I find it interesting speculating what the computing
infrastructure (networks, identities, access control, etc. - what we
discuss so much on this list) will be like when you're son might
be interested in such things, say 30 years from now.  I well remember
what it was like 30 years ago...  I had just published the DCCS
paper and an ArpaNet RFC on the topic - naively hoping to get
consensus on network capabilities - network standard tokens that
could communicate access to arbitrary objects.  I was using an
early version of Unix from AT&T as a programming environment for
work on the RATS system, having just finished work on the Research
Into the Security of Operating Systems (RISOS) project, ARPA funded
work to find security flaws in OSs on the ARPA network (not difficult
to find of course, then or now).  I was working on a report on the
value of wide area networking for the Energy Research and Development
Administration (predecessor to DOE):

"General Purpose Computer Networks and Resource Sharing in ERDA"

I was just starting work on a local area network research project
that simulated an early 50Mb/sec CSMA/CD LAN, "Hyperchannel".  There
was talk about a new operating system at LLNL - what eventually
became the NLTSS: http://en.wikipedia.org/wiki/NLTSS
system that I lead the development of, a micro kernel, capability
based network OS.

Of course the price performance of computers and networks
has improved tremendously since then.  Along with that comes
much improved scientific simulation, better business processing,
better graphics and home computing, inexpensive data, voice, and
video communication, cell phones, etc.  There have been some
improvements in languages (e.g. for parallel processing, OO)
and in algorithms, but to my mind system architectures (both
hardware and software) haven't really improved significantly.
I find that both surprising and sad.  Maybe somebody can
cheer me up with a more hopeful view.  Certainly the general
flap in this discussion (views all over the map, conflicts in
levels, terminology, focus, etc., etc.) isn't helping.  I'm
sure part of the problem is the medium (email), but I certainly
didn't anticipate so much fragmentation even at that.

I guess I need to pull back some and just focus on communicating
this one little bit about delegation of responsibility in digital
system in as compact and clear a form as possible.

I hope your son had a birthday full of delight Jonathan!

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list