[cap-talk] Delegating Responsibility in Digital Systems: Horton's "Who Done It?"

Kevin Reid kpreid at mac.com
Thu May 17 11:31:30 EDT 2007 

On May 15, 2007, at 22:04, Mark S. Miller wrote:

> Jed Donnelley, Alan Karp, and I would like your comments on our  
> draft paper
>
>          Delegating Responsibility in Digital Systems:
>                    Horton's "Who Done It?"
>
> found at <http://www.erights.org/download/horton/document.pdf>
>
> We plan to submit it to USENIX HotSec 07 (Hot Topics in Security)
> http://www.usenix.org/events/hotsec07/cfp/
> which has a five page limit. Submission deadline is 6/1/2007.
>
> We think this paper is important. Your comments and suggestions  
> will be
> greatly appreciated. Thanks!

1:

I've never seen "ocaps" used before.

"just those objects that ..." -- I would write this as "just those  
objects (capabilities) that ..." to reaffirm the equivalence.

"Solitaire runs with all its user's privileges" -- how about  
"Windows's Solitaire program"; as this is, it is unobvious what the  
referent is if one is not familiar with our traditional examples, and  
not a Windows user.

2:

The figure could be improved, I think, by more emphasis on the  
application-level objects A, B, and C - perhaps a larger label font.  
Also, have you considered using sans-serif?

The significance of the numbers in the black circles is not  
explained, though this might not be necessary.

"A complete Horton implementation in Java is available from  
erights.org/download/horton/." -- (a) Personally, I would not omit  
the "http://" (precision, future-proofing, machine- 
understandability). (b) Why is the implementation in Java (a non- 
capability language) rather than E?

"sending a reference to a proxy as the single argument of a message  
with no return result." -- I first read this as "sending [a reference  
to a proxy] as ...".

"Each player expresses Horton-level policy—such as identity-based  
logging and revocation—by overriding these defaults, as we will see."  
-- to what does "as we will see" refer to? I see no examples of  
overriding in this paper (and I think there ought to be; or at least  
a brief description of how it is feasible).


When examining the wrapping and unwrapping, I wondered why this seems  
more complex than the Den movement protocol; my conclusion is that in  
the movement protocol Alice and Carol are the same entity, and  
therefore there is no need to protect S3 against Alice; furthermore,  
my identities provide unsealers rather than sealers, thus eliminating  
the fill/provide logic.

Have you tried making Whos into unsealers and Bes into sealers?  
Searching for ".seal", every occurrence is passing a resolver-oid  
callback, which suggests that such a reversal might simplify operation.


Code:

The indentation mixed with omitted line numbers is slightly  
confusing; how about giving the line numbers in a different text style?

Lines 12, 15: No justification is given for the presence of the "t" tag.

Line 19: The noun is "s3slot", but its value is not a slot. This is a  
dangerous level confusion; it obscures the fact that (26) takes the  
current value rather than the mutable cell.

Lines 05, 03, 12, 15: p3Desc and getGuts have their related  
components in the opposite orders.

It might be worth a note that the variables' names are according to  
their roles in the diagram, and are not fully general.

4:

Include URLs for mentions of cap-talk and e-lang?

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>

More information about the cap-talk mailing list