[cap-talk] Wikipedia: Object-capability model

Jed Donnelley capability at webstart.com
Sat Jan 6 03:38:05 CST 2007 

At 12:41 AM 1/6/2007, Ka-Ping Yee wrote:
>I have created the article!  See:
>
>     http://en.wikipedia.org/wiki/Object-capability_model
>
>and please help me add to it.  See:
>
>     http://en.wikipedia.org/wiki/Talk:Object-capability_model
>
>for some things that i think need to be added, and if you agree,
>please add them.
>
>Jed: I am trying to keep the introduction as succinct as possible,
>so for now i'm leaving out other synonyms for "reference" ("pointer"
>and "capability").  A section on how the model is viewed from an
>OO perspective can talk about pointers for those who are familiar
>with objects, and another section can talk about how it relates to
>the capability perspective and the various meanings of "capability".

OK.  Understood.  Looks good.

Why is the second means of obtaining a reference:

2.  The creator of an object has access to the created object.

needed?  Isn't it just an instance of the third?  Namely
the instance when the object is received in a message
responding to a creation request?  I suggest removing case #2.
Doing so would make the definition more succinct ;-)

I'm still a bit uncomfortable with the "initial conditions"
case also.  For me "initial conditions" are a special case
of some other sort of way of getting object references
that I don't have a name for.  If some active object has
a reference to my c-list, then it can put object references
into my c-list for me to access directly.  If it does this
before I start running these can be considered "initial
conditions".  What about if it does so after I'm running?
Perhaps something of an odd situation, but it can happen.
For me this is the same as an "initial condition" except
that it isn't "initial".  I see #1 as a special case of
this more general way of receiving object references.
Sorry, but I'm not sure how to provide wording to make
this clear for the Wikipedia definition.  Perhaps it's
best not to worry about it.

Something that seems a bit odd to me is that the model is
referred to as the Object-capability model, but the term
"capability" only shows up in the name.  What does the term
"capability" add?  From just reading the definition one
might be inclined to ask why isn't it just the 'object' model?
Perhaps the "object access" model?

I still think it would be better to introduce the term
"capability" for the reference in the first definition:

Objects are both accessed and designated through unforgeable
references called "capabilities."

Then use 'capability' wherever you have otherwise used
"reference."  Isn't the term "reference" a more general
term?  When you say, for example, "objects can embed
references in the messages they send" don't you really
mean capabilities rather than some other form of reference?
Perhaps there isn't any other form of reference in an
Object-capability system?  Still, the term "capability"
seems more explicit to me.  Also of course it has a
historical context and appears in the more general
capability model.

Sorry for the delay in responding.  I decided I should finish
a cover to cover re read of MarkM's thesis before responding.

One other minor quibble.  I'd remove the "secure" adjective
from the sentence:

EROS is a secure operating system that implements the
object-capability model.

Every operating system can claim to be "secure" in some
sense of the word.  Why push this term there and potentially
antagonize people?

Incidentally, here's a capability architecture that I hadn't
before been aware of:

http://en.wikipedia.org/wiki/Flex_machine

Go Wikipedia!

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list