[cap-talk] User versus Owner (High level dissonance)

Rob Meijer capibara at xs4all.nl
Sun Feb 24 03:04:49 EST 2008


On Sun, February 24, 2008 00:49, Jed Donnelley wrote:
> At 04:03 AM 2/23/2008, Rob Meijer wrote:
>>The 'owner' could keep the software fluid, while allowing the user to
>>be held fully subject to least authority.
>
> I believe that what's good for the goose is good for the gander.
> In my opinion what we need is a clear "object" oriented interface
> where users can easily distinguish between more and less sensitive
> permissions through the same interface.  Bundling permissions into
> rather artificial "user" and "owner" bundles will, in my opinion,
> just make this more difficult to achieve.
>
>>I feel that trying to merge the two into a very powerful user/owner is
>>a mistake, it makes for a more complex, harder to use (from a security
>>choice view), harder to implement system, while the convenience gained is
>>relatively small.
>
> About this point I guess we simply disagree.  If you are a
> Unix or Windows user you may have had this user vs. admin/root
> distinction - with each a less or more powerful ambient "user" -
> drummed into you for these many years.  If all you have available
> is ambient authority, then you really don't have much choice.
> However, of you have object oriented authority available, then
> I believe such a bundling of permissions and separation by a
> distinct "user" login creates problems and solves none.

I feel it is actually following through on the OO nature that would
warrant this distinction. In my view, the user and processes could both
naturally fit the role of just one of the active objects in the graph. If
you follow the OO paradigm's, 'private' member data is one of it. Thus
allowing active objects to maintain their own private data would be
following the OO paradigms. Following this paradigm would however as noted
by others keep  the 'owner' from rightful access to its data if  she
chooses to want to migrate such data to some alternative software (the DRM
is bad argument).
I feel that giving the user the privileges to (and thus the power to make
dangerous mistakes with) all of the active objects for example their
private storage would make it hard on the user, hard on the system
developer and would most importantly partially break the OO paradigm. This
while the concept of two alternative (realtime) disconnected object graphs
would avoid many of this.

But having said this, You have proven me wrong on many occasions before,
so I'll stay open to being proven wrong by you ones more :)

Do you feel that I am wrong in wanting the user to be 'just an other
active object in the graph subjected to all the normal POLA constrains'?
If not so I would be very interested to learn how without the user/owner
being made disjunct you would set about doing this.

Rob



More information about the cap-talk mailing list