[cap-talk] In defense of Object Capabilities against non-delegatable authorities
Jed Donnelley
jed at nersc.gov
Fri Jan 4 11:57:40 EST 2008
On 12/22/2007 12:15 AM, Mark Miller wrote:
> On Dec 19, 2007 12:08 PM, Jed Donnelley <jed at nersc.gov> wrote:
>> Try to imagine non-delegatable objects in
>> a language like Joe-e. I believe you simply
>> can't do it.
>
> Jed, they are not doing "non-delegatable objects" or permissions. They
> are doing non-delegatable *authority*.
I take the above up in another message thread. I'm
struggling a bit to make that communication as clear and
as terse as possible. I believe I understand what
you are saying. Of course any authority that isn't
represented in the normal form as an object capability
reference is unavailable for POLA management as
parameters in invocations and returns and must be
treated specially by programming - a significant cost
in my opinion.
> I believe the NDA technique in their paper works just as well in Joe-E
> as it does in E. In Joe-E it does take a bit more notation because of
> Java's static type system and the resulting awkwardness of the
> reflection API. But other than that, I believe everything in their
> paper could be translated to Joe-E without compromising any of their
> points.
I think perhaps I wasn't clear in my statement. I wasn't
saying that you can't do it. I was saying that you can't
*imagine* it (i.e. needing it). Has there ever been an
object oriented language with support for non-delegatable
references (e.g. as there was in DEMOS for capabilities
with their 'pass once' mechanism)? That is, references that
can't be used as parameters for other object invocations
or in returns from object invocations? I've never heard
of such a mechanism. Consequently I can't imagine this
in Java and so likewise for Joe-E.
Still, I'm sure that as you say one could exploit a
similar 'feature' in Joe-E or Java to achieve a similar
end - the non-delegatability of the authority. Would
anybody consider doing so of value? E.g. how would
Toby and Duncan's paper fare at OOPSLA? I guess that
the reaction would be, "Huh?" Namely, what is the
point? I consider creating a separate market for
authorities distinct from object references, particularly
for the useless purpose of making them 'non-delegatable',
a dangerous, unnecessary, and unwise language precedent.
I feel the same about it as a more generalized
object capability mechanism, but I'll continue that
discussion beyond what I've already said in:
http://www.eros-os.org/pipermail/cap-talk/2007-December/009457.html
(where you're right, I should have said, "If we
support non-delegatable *authority* we break the
basic object capability paradigm that provides
for POLA management of authority)
in a separate thread if/when I can get some reasonably
concise thoughts into text.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list