[cap-talk] the value of non-delegatable authority (was: In defense of Object Capabilities, against non-delegatable *authority*)

[Toby Murray]

On Fri, 2008-01-11 at 11:48 -0800, Jed Donnelley wrote:
> On 12/22/2007 12:15 AM, Mark Miller wrote:
> 
> > Jed, they <Toby and Duncan in their paper:
> "Non-Delegatable Authorities in Capability Systems"
> http://web.comlab.ox.ac.uk/oucl/work/toby.murray/papers/NDA.pdf >
> > are not doing "non-delegatable objects" or permissions. They
> > are doing non-delegatable *authority*.
> 
> As this discussion seems to have died, I think I should at
> least correct one thing I said with regard to the above.
> Namely in:

Sorry Jed. I've been meaning to get on this discussion but have been
distracted lately.

For the record (although my views are by no means fixed here) I see the
fundamental contribution of the "Non-Delegatable Authorities in
Capability Systems" (NDAICS) paper as showing that one can, in
fact, /express/ non-delegatability in the object-capability model. It is
fundamentally arguing about what can be expressed and I think on this
point it is solid. 

The paper also tries to lay out the arguments in favour of
non-delegatable authority in order to motivate why one might want to
express non-delegatability in the first place. On this second point, the
paper may be less solid; although I make no claims one way or the other.

These arguments in favour of the utility of non-delegatable authority
don't preclude non-delegatability from being a second-rate tool to solve
most trust problems, as you assert it is. I certainly haven't ruled out
that possibility.  Indeed, I agree that non-delegatability is
potentially harmfuul because it breaks the assumptions of programmers
and makes it difficult to impossible to create the sort of "networks of
subcontracting" for which the OO paradigm is so adept.

That said, people seem inherently drawn to the idea of
non-delegatability of permissions, as a solution to distributing
authority to less-than-trusted entities. I expect that in some
circumstances, there are good reasons for this. The "human / real world"
examples cited in the paper certainly seem to indicate that
non-delegatability has proven useful in limiting the damage that
potentially dishonest individuals can perform in the real world.

It might be the case that while non-delegatability is useful between
humans, that it may be useless between objects in a programming
language, or between processes in an operating system, or between
individual computers on a network. I would argue that we don't have the
experience to properly say one way or the other.

This doesn't preclude, however,  being able to /express/ and, hence,
reason about non-delegatability in the object-capability model from
being a useful thing. So even if the idea itself may not be useful for
solving practical trust problems, I argue that it is still useful to be
able to express non-delegatability in the object-cap model, since it
then allows us to reason about it and compare it against other
approaches side-by-side, such as Horton etc.

In related news, I've pulled down the link to the paper while I discuss
some last minute modifications with the JCS editors in order to address
the issues raised by Kevin Reid -- to whom I'm very grateful for
pointing them out. Thanks Kevin.

Cheers

Toby