[cap-talk] Some good advice for disruptive technologies

[James A. Donald]

On 2011-01-09 7:40 PM, David Barbour wrote:
> But none of these principles are well served if we just reinvent the
> traditional desktop OS atop a capabilities system.

The core idea of cap desk and similar approaches is that a program 
should be unable to access a file unless the user explicitly gives it 
the file through the file open dialog - which is how end users naively 
imagine the traditional desktop OS should work.

Which approach fixes most of the problems without "re-educating the 
user" much.

If you have to "re-educate the user" your UI deviates from the principle 
of least surprise.

> In addition to making users more aware of security issues, we
> should leverage the greater composability of capabilities in order
> to offer a more flexible user experience - i.e. with support for
> service extensibility and application mashups, perhaps some
> ability to bookmark and share views, and so on.
>
> We might want to drop an icon representing some facet of a
> service and drop that into your little messaging application. The
> recipient could then interact with a service on your machine, at
> least until you revoke the authority or destroy the service.

A very good idea, but this, of course, requires secure messaging, and if 
we provide people with secure messaging, we have already achieved much 
without changing or adding to the user interface.

Secure messaging requires end to end encryption, which requires that 
buddies represent cryptographic identities, such as a hash of a rule 
identifying a public key, rather than representing supposedly human 
readable names rooted in the DNS - so as with capdesk, this involves a 
big change under the covers, with no substantial change in the UI, other 
than that the messaging system starts to have the security properties 
that the user naively expects it to have.