[cap-talk] Don't understand capabilities
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Fri Oct 27 09:36:39 CDT 2006
At Fri, 27 Oct 2006 09:13:16 -0400,
Sandro Magi <naasking at higherlogics.com> wrote:
>
> Marcus Brinkmann wrote:
> > I think that ACLs and ambient authority works closer to the real world
> > than capabilities do. Say I want to set a book on fire. The ability
> > to set fire on a book is part of myself, but this ability includes to
> > burn any book out there, not just a couple. The question which book I
> > am allowed to burn depends on which books I own. But ownership is a
> > bidirectional property. We say: "Marcus owns this book." as well as
> > "This book is owned by Marcus." In fact, some people write their
> > names into their books so that people can identify the owner.
> >
> > Of course, this is not the whole story. If my book is locked away in
> > a safe, to which I do not have a key, I can't burn it. However, I can
> > still name it, and the book still "names me" as the owner. In fact, I
> > can name other people's book just as well as my own. If I sell a book
> > I own, ownership is transfered, but my ability to name it is kept
> > intact. This is essential for example to settle disputes.
> >
> > It seems to me that in the real world, designation and authority are,
> > in fact, separated.
> >
>
> I don't think this analogy is correct. "Naming" the book in your
> scenario is "out of band" data for operating on it; ie. it's not
> actually used when operating on it. So it's inconsequential to access
> control.
Actually, one of the most straightforward ways to name a book is to
physically operate on it. But apart from that, you have demonstrated
my point: One can name an object without operating on it. That's why
designation and authority are separated.
> Capability systems can still provide this sort of naming; it's a
> brand.
I don't think that brands provide quite the same type of naming I
mean. In the real world, I do not need somebody any authority to be
able to name an object.
> You still have to be able to touch the book to actually operate on it
> (open it, read it, burn it, etc.). That's a capability. Any disagreements?
Sure, that's a capability. But the world is larger than that.
> As for the "naturalness" of capabilities, what could be more natural to
> a programmer than an unforgeable reference? Pointer arithmetic is
> learned, and with great difficulty.
I am not talking about programmers, though. The human mind and body
are quite flexible enough to acquire rather unnatural abilities after
years of training.
I do not really want to argue about these issues. There is a range of
reasonable interpretations of terms like objects, identity,
identifier, and authority, and trying to agree on fixed definitions
seems counter-productive to me. Also, many unnatural concepts are
extremely useful: Most of modern physics is in fact, completely
unnatural to the human experience, and the same goes for most of
modern sciences.
Furthermore, just because capabilities do not have a direct analogy in
the real world does not mean that they are necessarily hard to
understand. It may be that the confusions and difficulties to
understand them have a different origin. As Jed said, many
descriptions focus on technical details rather than conception. I
also found that there is a large dictionary of technical terms which
one has to learn, and there are dialects as well. In fact, every
capability-based system seems to be different, and the differences
matter greatly in understanding how they can be used in practice.
So, maybe I am overemphasizing the issue of human nature. But even
with all of the above in mind, I don't believe that a good
human-computer interface will reveal implementation details like
capabilities. Luckily, there doesn't seem to be any need for that, either.
Thanks,
Marcus
More information about the cap-talk
mailing list