[cap-talk] "Ambient capability"

David-Sarah Hopwood david-sarah at jacaranda.org
Wed Jul 15 23:12:58 EDT 2009 

Kevin Reid wrote:
> Someone just wrote this page on the erights.org wiki:
>
>   http://wiki.erights.org/wiki/Ambient_capability

(That version of the page is at
<http://wiki.erights.org/w/index.php?title=Ambient_capability&oldid=3469>.)

Sandro Magi wrote:
> Assuming it's the same individual, dmbarbour is a frequent contributor
> to LtU, and he generally seems fairly knowledgeable on programming
> language issues, including object capabilities.
> 
> In reading the article and the talk, I suspect the disconnect arises
> simply because the programming language literature has a more precise
> set of names for certain notions that capabilities are simply agnostic to.
> 
> I think "ambient" in "ambient capability" actually refers to mobile
> ambients [1], and that dmbarbour is trying to describe ways in which the
> local capabilities of migrating code can be either proxied or rebound
> based on a program-specific policy.

If the intent was to refer to "ambient" in the sense of mobile ambients,
that simply confirms that the content of the article was confused, since
there's little or no relation between that and "ambient authority".

The ambient calculus deals with "situated" objects, that is, objects
that have a location or site at which they execute at a given point in
time. (The terms "site" and "situated" are used in the Oz distribution
system and in the book "Concepts, Techniques and Models of Computer
Programming", for example.) Note that capability systems often use
situated object models: vats in E or Waterken, or ORGs in Carl Hewitt's
current actor model work, for example.

However the specific primitives ('in', 'out' and 'open') defined by the
ambient calculus involve implicit reference to the "surrounding ambient",
which is not a good idea in a capability model. Operations on sites
should instead designate *all* of the sites that they operate on
explicitly.

A mobile object model is a situated object model in which an object can
move between sites while retaining its state and identity -- that is,
references to it remain valid for the new site.

> For instance, Alice ML [2] provides infrastructure for managing
> references to local primitives objects and services so they can be
> either rebound, or perhaps allow proxied remote access when code is
> loaded and unloaded.

Yes, Alice ML is a mobile object system.

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com

More information about the cap-talk mailing list