[cap-talk] Capabilities in C# (revised)
Karp, Alan H
alan.karp at hp.com
Fri Nov 3 15:34:05 CST 2006
> -----Original Message-----
> From: cap-talk-bounces at mail.eros-os.org
> [mailto:cap-talk-bounces at mail.eros-os.org] On Behalf Of Sandro Magi
> Sent: Friday, November 03, 2006 10:15 AM
> To: General discussions concerning capability systems.
> Subject: Re: [cap-talk] Capabilities in C# (revised)
> Karp, Alan H wrote:
> > I prefer to describe the things listed on slide 23 as side
> channels of
> > communication because they are outside the OO model of
> sending messages
> > to objects.
> I think most developers do view them as objects, albeit globally
> accessible objects. "File.Open(...)" looks like a message send to a
> global object "File". The global accessibility seems to be
> the real problem.
Aaah. Now I see. This is the kind of ambient authority you're talking
about. Nevertheless, the typographic convention of a leading capital
letter means that we're not thinking of these things as normal objects.
I wonder if you can make use of that to make your point.
> Further, "new FileStream(...)" seems within the normal OO model (at
> least it seems normal to Java and C# devs), but it permits what looks
> like a up-conversion from an authority-less string to a file
> r/w capability.
The thing to ask is where the reference to FileStream comes from.
However, you know your audience better than I. Such a discussion might
just confuse them.
> Perhaps you could clarify how to explain what a "side channel" is, as
> this will give me a better idea how to explain it.
Objects communicate by sending messages to other objects. These
messages can convey data and references to other objects. That's the OO
communications channel. I call anything else a side channel. When
learning OO programming, many of the errors I made came from using
global mutable state. I learned to avoid it, so perhaps I'm more
sensitive to it than most.
> > Slide 26 reinforces this point.
> > Also, I don't buy your argument on slide 24 that ambient authorities
> > allows you to manufacture authority. I don't think it's necessary,
> > either, if you use the description in terms of side channels.
> I was trying to avoid introducing new concepts like "communication
> channels". What I was trying to convey, was that these globally
> accessible objects allow you to up-convert to more powerful
> without any controls. This forces you to then introduce such
> controls on
> the up-conversion process, which leads to code access security.
Valid point, but you did have to introduce the new concept of ambient
> If side channels conveys a clearer overall picture of this downward
> spiral, I'm certainly open to using them instead.
That's up to you. A global mutable variable is clearly a communications
channel. It's not so obviously an ambient authority.
> cap-talk mailing list
> cap-talk at mail.eros-os.org
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the cap-talk