[cap-talk] Capabilities in C# (revised)

Karp, Alan H alan.karp at hp.com
Fri Nov 3 15:34:05 CST 2006


> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org 
> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Sandro Magi
> Sent: Friday, November 03, 2006 10:15 AM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] Capabilities in C# (revised)
> 
> Karp, Alan H wrote:
> > I prefer to describe the things listed on slide 23 as side 
> channels of
> > communication because they are outside the OO model of 
> sending messages
> > to objects.
> 
> I think most developers do view them as objects, albeit globally
> accessible objects. "File.Open(...)" looks like a message send to a
> global object "File". The global accessibility seems to be 
> the real problem.

Aaah.  Now I see.  This is the kind of ambient authority you're talking
about.  Nevertheless, the typographic convention of a leading capital
letter means that we're not thinking of these things as normal objects.
I wonder if you can make use of that to make your point.  
> 
> Further, "new FileStream(...)" seems within the normal OO model (at
> least it seems normal to Java and C# devs), but it permits what looks
> like a up-conversion from an authority-less string to a file 
> r/w capability.

The thing to ask is where the reference to FileStream comes from.
However, you know your audience better than I.  Such a discussion might
just confuse them.
> 
> Perhaps you could clarify how to explain what a "side channel" is, as
> this will give me a better idea how to explain it.
> 

Objects communicate by sending messages to other objects.  These
messages can convey data and references to other objects.  That's the OO
communications channel.  I call anything else a side channel.  When
learning OO programming, many of the errors I made came from using
global mutable state.  I learned to avoid it, so perhaps I'm more
sensitive to it than most.

> > Slide 26 reinforces this point.
> >
> > Also, I don't buy your argument on slide 24 that ambient authorities
> > allows you to manufacture authority.  I don't think it's necessary,
> > either, if you use the description in terms of side channels. 
> >   
> 
> I was trying to avoid introducing new concepts like "communication
> channels". What I was trying to convey, was that these globally
> accessible objects allow you to up-convert to more powerful 
> authorities
> without any controls. This forces you to then introduce such 
> controls on
> the up-conversion process, which leads to code access security.

Valid point, but you did have to introduce the new concept of ambient
authorities.
> 
> If side channels conveys a clearer overall picture of this downward
> spiral, I'm certainly open to using them instead.

That's up to you.  A global mutable variable is clearly a communications
channel.  It's not so obviously an ambient authority.
> 
> Sandro
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
> 

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
  
  



More information about the cap-talk mailing list