[cap-talk] A question on capabilities

[David Hopwood]

David Wagner wrote:
> I gave a talk at PLAS06 yesterday on object capabilities and
> language-based capability systems.  My slides, if anyone is interested,
> are here:
>   http://www.cs.berkeley.edu/~daw/talks/PLAS06.ps

Page 6: "Instead, the person who invokes "cat" is implicitly specifying what
authority "cat" should receive.

I think you mean "is explicitly specifying". The other important point
that is left unsaid (maybe because it is obvious for this example), is
"... and the specification of arguments to 'cat' is no more difficult than
it is for 'cp'".

Page 7: "By default, newly created objects have no authority"

I would say "Newly created objects have only authority explicitly specified
by their creator".

Page 25: "If I have an immutable class with a method that accepts only immutable
arguments, then in a capability-based language, I am guaranteed that the method
will be observationally pure: it is side-effect-free and its return value is some
deterministic function of its arguments."

Nitpick: "and its return value or the exception it throws"

More substantively, I don't think that being a capability-based language
guarantees this. It is not true for capability-based languages with
nondeterministic primitives. The existence of nondeterministic primitives
does not by itself break capability language design rules.

Page 27: this page understates the importance of "and make trusted classes final"
in the solution.

(Actually, what is important is not that the class is final, but that no other
class is substitutable for it in a context in which it is trusted. But Java's
type system provides no way to specify a type corresponding to a single class
without making that class final. An example of a language with an otherwise
similar type system that allows this is Sather.)

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>