[cap-talk] Delegating Responsibility in Digital Systems: Horton's "Who Done It?"

Mark S. Miller markm at cs.jhu.edu
Wed May 16 04:25:18 EDT 2007 

Jed Donnelley wrote:
>> I like that I can flip the pages and see the transitions between the
>> three figures.
> 
> There are quite a number of "animations" of the protocol that
> are more complete than we could include in the paper.  I think
> some have already been referenced on cap-talk, but we can dig
> those out (possibly with corrections?) if people would find
> them helpful.

start at
http://www.erights.org/elib/capability/horton/notes.html#h0
and click on the figure to advance to the next frame.

But the terminology and notation in the paper have evolved quite a bit since I 
posted that animation, and they no longer agree.



> Not intentionally.  I believe it's supposed to be working code,
> but it did undergo some revisions.    Hmmm.  I just looked back
> at the earlier versions and "t" is included in those as well.
> Sigh.  I hope to get some time to understand the E code better.
> I'd like to put some initialization and test code around it
> so I can see it work, though I don't know if that will be
> possible before we submit the paper - unless we switch focus
> to another call for papers (might be worthwhile just to get
> some relief from the page limit and a bit more time for
> discussion).

The cfp does end with:

# Note, however, that we expect that many position papers accepted for HotSec
# '07 will eventually morph into finished, full papers presented at future
# conferences.

Having come this far, I do plan to submit to HotSec. The text above suggests 
this will not preclude submitting an expanded paper elsewhere.


> I believe that within an 'enterprise' infrastructure one could
> be confident of liveness of the identity infrastructure (e.g. just
> as one is confident of the liveness of the communication).  However,
> I agree that between mutually suspicious identity infrastructures
> there is a concern about liveness of a simple communication of
> a capability - though even there I'm not sure this issue is
> any more or less a concern than being concerned about the
> communication itself.

We should examine whether the full Horton-on-Joe-E/ref_send code has any such 
liveness vulnerabilities. I designed it to not have any, but this claim has 
not been critically examined.


> Even with the mutually suspicious structure diagramed, however,
> it isn't Carol (for example as C) that can delay the message from
> A to B, but rather only the Horton protocol mechanism acting with
> Carol's identity (beCarol).

The objects whose externally observed behavior Alice and Bob will hold Carol 
responsible for include S2, S3, C, and Carol's Who. Therefore, these (together 
with BeCarol) are all part of Carol. So in this sequential example code, Carol 
(for example, acting as S2) *can* delay the message.

Were Carol's Horton objects (S2,S3) properly protected from app-objects (C), 
were C ever invoked, it could delay everything else forever, since the entire 
example system is a single sequential computation. In the example, C can't 
delay the message, but only because it's never given control.

In the actual Horton system, Carol, whether acting as S2 or as C, cannot delay 
the message. Or at least that's my claim.


> A in step (1), executes b.foo(c),
> "thinking" it is sending the message "foo" to receiver
> B with a reference to object C as an argument.

As per your suggestions, this was fixed right before posting to cap-talk. It 
now reads:

Here, we examine a scenario in which sending
object A executes b.foo(c), intending to send
the message “foo” to receiver B with a reference to
object C as an argument (Figure 1, (01)).


> Thanks for the comments Charlie!  I hope we're able to get these
> and others resolved before publication.
> 
> Just a note about timing - MarkM indicated that he will be traveling
> to the East coast until I believe Monday - though with some email
> access.


Yes, I'm flying out early tomorrow morning, and will be flying back Monday. I 
hope to have intermittent email access while I'm traveling, but I'm not sure. 
Starting Tuesday, my top priority will be going through the discussions and 
folding suggestions into the paper.

-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list