Taxonomy of Facets & Composites

Mark S. Miller markm@caplet.com
Thu, 27 Jul 2000 09:37:31 -0700 

At 03:25 AM 7/27/00 , Tyler Close wrote:
>Markm wrote:
> > ...  An object only
> > has one object
> > reference.  (Or, all object references to the same object
> > are equivalent.)
>
>An elaboration of 'equivalent' should be included.

Not only are you correct, you are so correct that I see my attempt at 
reference-equivalence was nonsense.  In fact, elsewhere 
http://www.erights.org/elib/concurrency/refmech.html I present E's taxonomy 
of kinds of reference.  I was trying, unsuccessfully, to find a way out of 
the following descriptive dilemma:

I wish to identify a capability with an object reference rather than an 
object, because capability-programmers normally speak of capabilities the 
way object-programmers speak of object references: "Object A's state holds a 
capability/reference to ...".  We don't speak of an object's state as simply 
holding another object.  However, KeyKOS and EROS place the facet identifier 
(the data-byte), a crucial part of the object's behavior as I've explained, 
into what they call the capability.  Likewise, SPKI, and therefore 
E-speak3.0, place the authority thinning information (or rather, the authority
thickening information or its lack) into their equivalent of the 
"capability" (their authorizing certificate).

In the systems above in which facet-distinguishing information is in what 
they call the capability, all capabilities to the same object are in fact 
equivalent, which fooled me into thinking I could get away with this 
terminological shortcut.  However, after your message, I realize this is 
fortuitous coincidence, and that our taxonomy must account for systems in 
which behavior and/or state designation is in the reference, and in which 
references pairing the same state and behavior may still differ in other ways.


>All references to an object are 'equivalent' in that they refer to
>exactly the same thing and that that thing will respond in the same
>way to exactly the same set of messages for all references.

So, continuing to define an object as a pairing of state and behavior, a 
reference designates one object.  Two references to the same object are 
designation-equivalent and authority-equivalent, but in a given system (like 
E) references may be non-equivalent in all the ways you state and in the 
ways shown in E's reference-kind taxonomy linked to above.


>Maybe a better way to say this: "In a system with object-level
>capability security, the word 'capability' is a synonym for
>'reference'. The new word is introduced to emphasize that a capability
>obeys more constraints than a reference in a non-capability system."

So, to have a cross-system taxonomy, I'm left with terminology awkward for 
KeyKOS and EROS users.  Like an object, a capability is a combination of 
behavior (a function from a message and old state to new state and outgoing 
messages) and state, or, equivalently, as in the Confused Deputy 
formulation, a combination of designation (designating unique state) and 
authority (the right to feed messages into the behavior function).  In 
systems with object-level capability security, it works better to say 
capability == object.  Different references to the same capability/object 
may then differ in other ways, but not in their designation or authority.  

An object's state then holds *references to* other capabilities/objects.  In 
systems like KeyKOS & EROS where all references to the same capability are 
equivalent, one may without loss of detail, speak of state holding a 
capability rather than a reference to a capability.  But when speak across 
systems we should remember that this way of speaking is a shortcut.


>An object may have many references that may or may not respond to an
>EQ message (ie: two references to the same object are equivalent, but
>the holder may have no way of knowing that they are equivalent). 

Careful now.  An EQ operation adequate for grant matching cannot be a 
message sent on one of these references with the other as argument.  It must 
either be a primitive, or be a message to a third object (like the 
KeyKOS/EROS DISCRIM) that has magic ability to inspect these references 
without invoking them.



         Cheers,
         --MarkM