[cap-talk] Capabilities in C# (revised)

Sandro Magi naasking at higherlogics.com
Fri Nov 3 12:14:31 CST 2006

Karp, Alan H wrote:
> I prefer to describe the things listed on slide 23 as side channels of
> communication because they are outside the OO model of sending messages
> to objects.

I think most developers do view them as objects, albeit globally
accessible objects. "File.Open(...)" looks like a message send to a
global object "File". The global accessibility seems to be the real problem.

Further, "new FileStream(...)" seems within the normal OO model (at
least it seems normal to Java and C# devs), but it permits what looks
like a up-conversion from an authority-less string to a file r/w capability.

Perhaps you could clarify how to explain what a "side channel" is, as
this will give me a better idea how to explain it.

> Slide 26 reinforces this point.
> Also, I don't buy your argument on slide 24 that ambient authorities
> allows you to manufacture authority.  I don't think it's necessary,
> either, if you use the description in terms of side channels. 

I was trying to avoid introducing new concepts like "communication
channels". What I was trying to convey, was that these globally
accessible objects allow you to up-convert to more powerful authorities
without any controls. This forces you to then introduce such controls on
the up-conversion process, which leads to code access security.

If side channels conveys a clearer overall picture of this downward
spiral, I'm certainly open to using them instead.


More information about the cap-talk mailing list