Thoughts on droplets -- users vs. programs

Tyler Close
Tue, 2 Nov 1999 10:41:13 -0800 (PST)

shapj wrote:
> Tyler, there are two basic and fundamental flaws 
> in your argument about
> delegation.  You state:

There is nothing 'basic and fundamental' about saying
something hasn't been widely deployed and studied yet. You
are overstating the power of your arguments.

> > The creator of an object receives the only 
> capability for
> > that object.
> It is clear from context (your subsequent use of 
> the pronoun "she" in
> reference to the creator) that by "creator" you 
> mean a principal rather
> than a program.  Your statement is therefore 
> contrafactual for partitioned
> capability systems, and at best half true for 
> encrypted capability systems
> (in that programs also receive the capability, 
> and for that matter receive
> it before the principal does).

Are you making a deliberate attempt to confuse the

If the object creator is software running on a site not
controlled by the principal/user, then my arguments apply
equally well when thinking about the software as creator as
when thinking about the principal/user as creator.

> The balance of your argument proceeds to make 
> many tacit assumptions about
> the principal's ability to correctly understand 
> the behavior of the
> programs that they execute.

No, my delegation argument does not even address this
issue. Questions about the human usability of some piece of
software are properly addressed at the higher level of
application design. Solving problems at the wrong
abstraction layer results in convoluted designs.

As I explained in the same email, creating proper rights
distribution patterns are an issue of application design
and user's judgement. To some extent, it is possible to
trade better application design for less reliance on the
user's judgement. A well designed application will make it
as easy as possible for the user to apply sound judgement.

> These assumptions 
> are unsupported by
> mathematics, and are contradicted by empirical 
> observation in current
> systems.  I am prepared to believe that this can 
> be addressed by better
> system design, but the argument as given doesn't 
> hold until such a design
> has been tested.

My delegation argument makes no such assumptions. You are
the one confusing application design with the definition of
security primitives.

As for my belief that more useable software can be created
through better application design, I will use the entirety
of the software engineering field as my test and proof.


Do You Yahoo!?
Bid and sell for free at