Thoughts on droplets -- users vs. programs
Tue, 2 Nov 1999 11:04:16 -0500

Tyler, there are two basic and fundamental flaws in your argument about
delegation.  You state:

> The creator of an object receives the only capability for
> that object.

It is clear from context (your subsequent use of the pronoun "she" in
reference to the creator) that by "creator" you mean a principal rather
than a program.  Your statement is therefore contrafactual for partitioned
capability systems, and at best half true for encrypted capability systems
(in that programs also receive the capability, and for that matter receive
it before the principal does).

The balance of your argument proceeds to make many tacit assumptions about
the principal's ability to correctly understand the behavior of the
programs that they execute.  These assumptions are unsupported by
mathematics, and are contradicted by empirical observation in current
systems.  I am prepared to believe that this can be addressed by better
system design, but the argument as given doesn't hold until such a design
has been tested.

Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 7595