Thoughts on droplets

shapj@us.ibm.com shapj@us.ibm.com
Mon, 1 Nov 1999 20:49:31 -0500


Another falsification.

> If I hand you my car key, you might duplicate
> it and distribute duplicates, but that doesn't
> mean I can no longer have trust about who uses
> it or what it may be used for.  I can trust
> that it can only be used by entities and for
> purposes that you enabled it to be used for.

I'm afraid I disagree, because the analogy is failing of precision in a
critical place.  If you had me a car key, I am in control of the car key.
This is not true of capabilities. [Though I do appreciate being nailed
using my own explanatory analogy. Touche.]

First, you don't hand me a capability.  Your agent (some piece of software)
hands the capability to my agent.  At no time is the capability directly
under my control (though my fingers still never leave my hands :-).  The
problem here is that my actual control over the capability is only as good
as my ability to make trust decisions about the software that serves as my
agent.

Second, there are a great many pieces of software that I must run that
cannot practically be confined.  Given only a single judgement error on my
part about which pieces of software are trustworthy my authorities can be
leaked.  This is one essential lesson of macro viruses.

Therefore, in practice, some simpler means of expressing policies that can
be applied successfully by unthinking users is required in real systems.

> Therefore 1) I can trust it to the extent that
> I trust you, and 2) I can hold you responsible for
> the use made of it.

The second may be true, but this is an artifact of the legal system that is
only accidentally related to causality.  The first is tautologically true,
in the sense that you can never trust any real user at all when it comes to
such decisions because they lack the competence and knowledge to make them
correctly.  Given that you always expect them to do the bad thing, you will
surely never be disappointed. This doesn't falsify your claim exactly, but
I think it renders the claim of limited practical value.

Jonathan S. Shapiro, Ph. D.
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 7595