[E-Lang] Possession as Metaphor (was: Pet Extensions and such (was: what is good about E?))

Ken Kahn kenkahn@toontalk.com
Thu, 2 Aug 2001 19:39:13 -0700 

MarkM wrote:
> Yes.  Jonathan Shapiro uses exactly this example to explain capabilities
at
> http://www.eros-os.org/essays/capintro.html#defn .  I like it.
>

Thanks for the link. I was a bit surprised to read:

"Capabilities can be delegated. If you give your car key to me, you are
trusting me not to hand it to somebody else. If you don't want [sic] trust
me, you shouldn't hand me the key."

I would have thought you are trusting me to only hand the key to someone
that can be trusted at least much as I can be trusted with your car keys.
E.g. the valet may give the keys to another valet.

>
> The problem is indeed one of mapping the metaphor.  The Toontalk lock/keys
> system you describe, as well as SPKI, are actually more key-like than
> capability-like.  Toontalk and SPKI are being truer to this
> metaphor-for-capability systems than capabilities themselves are.
>

Well, ToonTalk birds are the true capabilities and differ from keys as you
described (except see below). The proposed ToonTalk keys are really a
special metaphor for some capabilities that debuggers need. A ToonTalk key
lets you inspect and alter a process. By default every process running
locally is inspectable (unlocked) and the proposed change would give you the
ability to lock things.

> What's the difference between capabilities and keys?  Keys separate
> designation and authority.  Houses and cars that you can't enter are still
> part of your world.  In a key system, when you want to enter a house, you
> have to make two choices: "Of all the houses I might want to enter, which
> one do I wish to enter now (and where is it)?" and "Of these various keys
I
> have, which one should I use to enter the house?"  The user logically
should
> only need to make one choice.  In your key ring system, and SPKI's ambient
> authority, you select the house you want, and if you possess the needed
> authority, it will automatically be found and provided.
>
> In a capability system, to a potential user of the house, the key *is* the
> house.  You interact with the house by interacting with the key, or with
> objects derived from interacting with the key.  There are not two things
> being brought together.  Whereas in a physical key system there are:
> designation (which house) and authority (keys).
>
> So, if both schemes reduce the user's burden to one choice, is there a
> difference?  Yes, a huge one, and I think it's the basis for Alan's
concern
> about E-Speak2.2's POLA violating key rings.  If the provision of
authority
> is automated, by selection from a large pool, then deputies can be
confused
> into, for example, using their own authority to take actions that they
> "thought" were being authorized by keys handed to them by their clients.
>

This difference applies as well to ToonTalk birds and the proposed keys. But
I don't think it is correct to say that a bird *is* or designates anything
else. A bird is a capability for communicating on some channel where some
service or services are presumed to be listening, but it isn't the thing it
communicates with. The receiving end of a communication channel and an
object need not be one-to-one (though I guess they are in E and actors).

Best,

-ken