[cap-talk] Horton at HotSec '07: How broadly object/capability?

[Jed Donnelley]

Mark and Alan and cap-talk,

At this point I've gone carefully back through the Horton paper.
As you well know it's very tight in its current form.

When I think about what would/should/will be discussed during and
after the 10-15 minute presentation at HotSec, it seems to me that
the paper in it's current form is not particularly well suited
to the task.

I believe we should have an interactive conversation (e.g. telephone?)
on this topic.

To prime that discussion let me suggest what I do think is a (the?)
"Hot topic" that we should discuss, namely the role of capability
computing in general in the modern context.  As part of that topic
it would be good to discuss what the Horton mechanism brings to that
table - the somewhat surprising fact that fairly simple object
capability mechanisms can be developed to track the responsibility
for capability enabled actions, by "identity".  It seems to me
worthwhile to discuss how mechanisms like Horton can be used
to enhance the 'security' of capability communication.

Beyond that, however, I think the relevant "hot topic" is the
general role (possibilities, areas of development, etc., etc.)
for capability computing.  This could include (should in my
opinion) the various levels at which such developments are
occurring (language, OS, network), instances of the developments
(e.g. E, Joe-E at the language level, EROS/Coyotos, Plash, Polaris
at the OS level, Web calculus/YURLs, widewords, at the network
level).

I believe it's important to review in a context like the HotSec
discussion how utterly broken "user" based ('ambient authority' -
good to review that term I believe) is, leading as it does to
Microsoft's bogus "first law":

Law #1: If a bad guy can persuade you to run his program on
your computer, it's not your computer anymore.

We absolutely have to run programs from all sorts of authors
on our computers all the time.  Most authors we hope will
be "good" but inevitably some will be "bad" - just from the
numbers.  We simply cannot prosper with Microsoft's first
law.

I believe we should clarify that capability computing is
really nothing more than object computing with a bit of
discipline by including it's access control context.  I
believe we should discuss the user interface issues
(e.g. initialization and power boxes) and generally make
a full court press argument for object oriented
capability computing to fully replace ambient authority
(e.g. ACLs in their various forms) computing.

This is of course the extreme position.  I'd like your
take on that - perhaps before we speak on the telephone.
Might there be some relevant "Hot topic" in between
a narrow discussion of Horton and this extreme, high
level object/capability review/discussion?  I don't
see one, but perhaps there is.

I'll cc cap-talk for reactions from the list that might
feed into our discussion.  I think we have to decide at
a high level what we want the focus to be for the discussion
at HotSec - how narrowly Horton vs. broadly object/capability -
before we decide how to respond to the reviewer and revise
the paper.  I believe the reviewer is pushing us in the
direction of a more general context.  I believe that we
need to decide how far to go in that direction at a high
level before we can decide how to revise the paper and
lay the context for the workshop discussion at HotSec.

--Jed  http://www.webstart.com/jed-signature.html