Objects per Democritus

[Nick Szabo]

Here's part of my earlier communication which Mark mentioned -- ideas
I've been noodling on for years, inspired by the Agoric Papers:

Democritan Objects: An Affordable Metaphor for Distributed Objects
Interacting Across Trust Boundaries

[Due to nonintuitive interactions and/or origin in fully 
trusted TCB assumptions] no security model has been widely
used for distributing objects across trust
boundaries.  I here propose a much more
readily understood metaphor, based on duplicating
the essential security features of physical objects in
computational objects.  This architecture is 
"affordable" in Donald Norman's sense, in that
human brains are designed to reason in much more
sophisticated ways about physical objects than
about computational objects.  It is thus also
"affordable" in terms of mental transaction costs,
which are the main barrier to sophisticated and
secure commerce on the Net.

An ideally intuitive physical metaphor is based,
not on the complexities of the quantum world as
understood by today's physicists, but on the intuitively 
clear, ideal world of the "atomists" from Democritus 
through Newton.  Three of the main primitive properties of 
this worldview are as follows:

-- Conservation of atomic objects
-- A clear delination of property rights and responsibities.
In other words, specify residual control and liability over states 
of the world for which specific obligations or rights are not 
completely specified in contracts.   
-- Hierarchical composition of objects

With Democritan objects, any computation across trust 
boundaries will have these properties.  This model is rather 
restrictive compared to what we are used to within trust boundaries.   
However, it will much more readily keep programmers from 
writing obscurely insecure code, which is easy to do
with either ACLs, capabilities, or cryptography.

Furthermore, conservation (scarcity) and lack
of externalities are the two major assumptions
of microeconomics, the study of commercial
transactions across trust boundaries.  So this
security model allows us to inherit a rich literature
of formal reasoning about such systems.

Democritan objects are not a complete model of
computation  across trust boundaries.  Indeed, there
are many smart contracts implementable with
cryptographic protocols but not with Democritan
objects.   No security model has a good handle
on one of the main forms of economic interaction
on the Internet, content.   However, Democritan objects 
provide a  straightforward basis for implementing,
in an intuitively secure way, the anonymous exchange
economies formalized in microeconomics.

Microeconomics is also an incomplete description
of interactions across trust boundaries.   The
first place it is incomplete is in transaction
costs: costs that come from the lack of ability
to completely specify states of the world in
contracts.   This gap in microeconomics is
being remedied by the "transaction cost"
or "New Institutional" economists.  The second
place it is incomplete is in reasoning about
supply chains.  In distributed objects, the
call graph is the supply chain.   To stretch
call graphs across trust boundaries, we must
replace rigid client-server relationships
with dynamically adaptable customer-supplier
relationships.  The ideal here is to create a rich 
toolset of exception handling across trust boundaries.
Note that credit risks are a proper subset of
supply chain risks.

[Ka-Ping recently put the supply chain problem succinctly:
"be wary of return values from objects you don't trust."]

Democritan architecture shares some things in common
with capabilities, but is far more affordable.  A
good implementation strategy may be therefore
to implement this model on top of E (www.erights.org).    
Elements in constructing a Democritan layer include:

* Composable conserved atomic objects, as described at 
http://www.best.com/~szabo/bearer_contracts.html

* Property titles for namespaces and other otherwise
insecurely conserved publically identifiable entities, 
as described at http://www.best.com/~szabo/securetitle.html

* Design by contract (e.g., detailed specification and
testing of pre- and post- conditions) as a central rather 
than optional part of object programming. 

* Exception handling as bankruptcy or contract breach procedure, 
to convert rigid client-server relationships into mutually
beneficial and dynamically reconfigurable (competitive) 
customer-supplier relationships, suitable for object invocation 
across trust boundaries.

* Reputation tracking of the behavior of supply chains.
Cryptographic protocols, such as those used to create
unforgeable and confidentially auditable transaction
logs, can be used to improve the privacy vs. reputation 
information tradeoff, as long as they are hidden under an 
intuitively clear metaphor for the reputation of supply chain 
behavior.

Democritan objects, by creating a simpler and far more
intuitive model of computation across trust
boundaries, can make the distribution of
objects on the global Internet a reality, just
as the simplification of hypertext into HTML
made the Web a reality.

My thinking on the above has of course been
greatly inspired by the Agoric Papers
and E folks, especially Mark Miller.


szabo@best.com 
http://www.best.com/~szabo/
PGP D4B9 8A17 9B90 BDFF 9699  500F 1068 E27F 6E49 C4A2