[cap-talk] Abstractions that subsume capabilities
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Fri Mar 7 16:54:24 EST 2008
Sandro Magi wrote:
> Jed Donnelley wrote:
>> On 3/6/2008 10:32 AM, Raoul Duke wrote:
>>> Moi aussi. Are there abstractions which subsume capabilities?
>>>
>> Interesting question. I would say that there are, though I don't
>> know of any that are popular enough to have a common terminology
>> to refer to. I'll leave that thought for others to dispute.
>>
>
> Interesting coincidence: I had just kicked off a debate on LTU that
> referential transparency subsumes capability security [1]. I'm curious
> what people here think as well.
>
> Sandro
>
> [1] http://lambda-the-ultimate.org/node/2706#comment-40510
I agree with almost all of Peter van Roy's comments [*]. In particular,
referential transparency does not imply capability security, because it
does not imply encapsulation.
Encapsulation is independent of state -- immutable data can be kept
private by encapsulation. Consider, for example, a 'signer' object that
holds a private key, and will cryptographically sign given data using
that key (using a secure algorithm that is assumed not to leak key
information). This object is referentially transparent, but whether it
can keep the key secret depends on other attributes of the language;
it isn't automatic that the key is kept secret because the object (or
any term in the language) is referentially transparent.
[*] All except for "Frequently one needs to change the state of an entity
without that being visible in the signature (modularity again!). Monads
don't allow that." But that's a side issue.
--
David-Sarah Hopwood
More information about the cap-talk
mailing list