[E-Lang] draft statement of consensus

Jonathan S. Shapiro shap@cs.jhu.edu
Wed, 07 Feb 2001 09:03:22 -0500


[Chris sent a response to me privately that I believe he also intended
for e-lang. I'm responding to just this fragment publicly.]

Chris Hibbert wrote:
> > Y) We all agree with the "Principle of Consent" which I will now define: if
> > two parties are communicating, [...], then the recipient of a communication
> > should consent to all receipt of authority [...].
> 
> I agree with this in a normative sense, but I don't understand what it
> has to do with capability security.

It's a backhanded way of saying that the entire notion behind the "own"
right in an ACL system is in principle a bad idea.

Within capability systems, the issue is that there should be no way I
should receive authorities without knowing about it. The reason this
matters is that if I receive authorities without knowing about it, I
might be tricked into using them in a way I did not intend because I
mistakenly believe that the capability slot I invoked held some
authority I understood.

Jonathan