Thoughts on droplets -- users vs. programs
Wed, 3 Nov 1999 11:25:50 -0500

>> If the object creator is software running on a site not
>> controlled by the principal/user, then my arguments apply
>> equally well when thinking about the software as creator as
>> when thinking about the principal/user as creator.
>No, i don't think that Jonathan is trying to confuse the

Indeed I wasn't, but I don't think Ping's clarification captures what I was
after either.

I reiterate that there is a fundamental flaw in Tyler's model; I shall try
to express it more clearly this time.

Tyler's model is that the holder of the capability is responsible for what
is done with it.  Stated this way the model is accurate, but it has no
useful correspondance to reality, because the holder of the capability is
software rather than a person.

In describing security policies we are ultimately interested in
understanding which principals can take which actions. When we talk about a
user transferring a capability to another user, we are engaging in a
convenient, and in this case unfortunate, contraction of what actually
happens.  In practice, the user directs some piece of software to transfer
the capability to some other piece of software that is allegedly acting on
behalf of the alleged recipient user.

The shorthand description is okay as long as the programs in question
actually obey the intent of their principal. On an unsecure platform,
however, this cannot be assumed.  For example, it would be very
straightforward to write an email virus which would replace the windows file.  For the majority of users, this would be a difficult
replacement to detect or even observe (no, Mathilda, it need not show up in
your mail display at all).  In the face of this, and particularly where
money is involved, we certainly can NOT safely assume that the web browser
obeys the intent of the user.  Therefore, while Tyler's statement is
correct -- control over the capability is in the hands of the holder (i.e.
the web browser) -- this statement conveys no useful intuition about what
restrictions exist on the transfer or use of the capability.

For this reason, I am delighted that people believe eCommerce can safely be
done on windows, but somewhat disappointed that Tyler believes it. My
delight stems from the fact that your average bear is smart enough to
realize that the problem is Windows somewhere around the third time his
online wallet is stolen.  My belief is that eCommerce is therefore the
demise of Windows.  My disappointmenet comes from the fact that the
community on this list is one of the communities from which the next
generation of OS technology will spring, and I would therefore like its
credibility to be untarnished in the eyes of third-party readers.

Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 7595