[cap-talk] High level dissonance (was: Re: What sparked interest in capabilities)

Rob Meijer capibara at xs4all.nl
Sat Mar 1 11:49:32 EST 2008 

On Sat, March 1, 2008 16:11, Jonathan S. Shapiro wrote:
> The use case for constructor-provided authority is when you have a
> program whose purpose is to give its client(s) restricted or guarded or
> qualified access to a more powerful authority that the client should not
> directly hold.
>

This touches on an earlier part of this discussion with respect to a mail
client example and process private storage. Let me give a short digest of
the discussion for calarity:

I argued that (and implemented it such in my file system project) that
a mail client should as a (pseudo) persistent process get its own private
part of file system storage, so it can store:
* A mailbox in whatever format it wishes.
* A client certificate.
without the need to ask the user for partial authority to her file system
storage privileges. I also argued that this setup would make for stricter
POLA as it would treat the user as just an other active object in the
object graph, allowing her to be subjected to receive least authority
herself.

Ivan argued that doing so would constitute DRM, and would keep the user as
'owner' of the mailbox data from for example changing mail clients and
importing the mailbox into the other program.

My argument against this was that the 'owner' and 'user' could/should be
separated by means of reboot, (or in my case by logging in as the minorfs
user). Jed however than this separation would be artificial and very
inconvenient/ troublesome.

I feel very uncomfortable with the fact that whatever position we take, it
appears that the user either falls (partially) outside of the model.
To me the view :

  A  user  is an active object
  An owner is an active object
  Owner and user are disjunct

seems to come closest to integrating the user into the model.
Others seem to take the position that:

  Owner and user are synonymous
  User and active object are disjunct.

Jonathan, given the above and your abouve statement,
what would your view be on the example mailbox or certificate ownership,
and on the user/owner/active-object discussion?

Rob

>
> Interestingly, the Hurd folks feel quite strongly that a strict
> hierarchy is sufficient. I don't think I agree. The problem at the end
> of the day is that the composition of authority in sensible systems
> isn't a tree. It's a lattice.
>
>
> shap
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
>

More information about the cap-talk mailing list