[E-Lang] Ordering

[zooko@zooko.com]

[As an aside, I hate the "message forwarding" facility which makes it look like
Jonathan sent a message to e-lang when really Jonathan sent a message to MarkM
who forwarded it to e-lang...]


 Jonathan wrote:
>
> But by making sender and/or receiver identity figure in message
> passing semantics, it becomes difficult to employ an agent, yes?  That
> is, suppose I do the deposit, then ask (and authorize) my agent to do
> the withdrawal.

It sounds to me like your thinking about the fundamental question of "over
which set of messages does the ordering guarantee hold?".  I wrote about that
on e-lang, here: [1].

The first security hole in the Stock Market Application was due to an ambiguity
about that question.  MarcS's design would have been secure if the set of
messages over which the ordering guarantee held was "the set of all messages
sent to this capability", but it was in fact "the set of all messages sent to
this capability from this Vat".

After this discussion I suggest to MarkM that the "natural" answer, IMO, would
be "the set of all messages sent to this capability from this object".  He
replied, IIRC, that he didn't want that because the calling object would then
constitute an implicit parameter, which is a bad thing.

I was silenced, and confused, because it sort of seems like *any* ordering
guarantee constitutes an implicit parameter.


Anyway, the issue that you raise above (making a deposit and then delegating
withdrawal) is addressed by the 3-party partial ordering guarantee.  The "which
set of messages" question applies to the "fundamental" 2-party case.


Regards,

Zooko

[1] http://www.eros-os.org/pipermail/e-lang/2001-April/005203.html