[E-Lang] Possession as Metaphor (was: Pet Extensions and such (was: what is good about E?))

Mark S. Miller markm@caplet.com
Thu, 26 Jul 2001 09:20:03 -0700

At 04:19 PM Wednesday 7/25/01, Ken Kahn wrote:
>I was just thinking about how cars and homes with locks will be much more
>usable once they are smart enough to recognize people so you won't need keys
>(other than your hand, voice, or appearance).

When I first read this, it seemed sort of obviously true.  Then, when I 
tried to think about what this would mean, concretely, it led into a 
fascinating rat's nest. 

An obvious possible meaning of a key is "The means by which a resident of 
the house may authenticate themselves to the house, so that they may enter." 
Starting from this meaning, going to hand/voice/face recognition seems an 
obvious convenience.

But what about the key I hand to a house guest?  Or the one I gave my 
housecleaners, who arrive on a regular schedule?  And what's our user 
interface for informing the house of a title transfer, and how does the 
house know to believe us?  Suddenly, our view of keys and locks changes from 
"crude physical implementation of a security mechanism" to "imperfect but 
simple and intuitive, distributed, physically embodied UI for representing 
authorization decisions and their consequences".  As MarcS explains in 
Walnut http://www.skyhunter.com/marcs/ewalnut.html#SEC39 , keys are like 
capabilities, and badges are like ACLs.  Your hand/voice/face recognizing 
house is obviously a badge system, and, if we're not careful, will 
recapitulate all the problems of ACL systems.

To avoid these problems, we'd need a good UI to the house's security system, 
such that changes in authorization to enter the house may reliably reflect 
the intentions of those authorized to change such authorizations.  Now we 
are in the original domain, "Interaction Design from End User Security" as 
Miriam and Ping put it.  To only slightly rephrase their opening line:

>We introduce principles for usable security that aim to improve the match 
>between users' expectations and house behavior. The scope of this paper is 
>control by end users of rights to enter their own personal homes.

We started with an open and hard problem -- secure UI design.  We tried to 
make progress by use of analogy to a pre-existing system that works.  We 
then observed that this pre-existing system seems unnecessarily hard to use 
because it predates computers.  Surely modern computation could make it 
easier?  We have reduced our problem to itself!  Have we made any progress?

Actually, I think we have.  This tale should remind us of what was so 
powerful about the EC Habitats user interface for security issues: 
"physical" Possession as a Metaphor for holding rights, and "physical" 
transfer (my Avatar hands a "physical" object to your Avatar) as a metaphor 
for rights transfer.  http://www.caplet.com/security/futurelaw/sld009.htm .

Likewise, in the chessboard analogy for smart contracts rights are turned 
into "physical" game pieces that, at any time, are possessed either by a 
player or by the board itself.  (see 
http://www.erights.org/talks/pisa/siframes.htm starting at "Contracts as 
Games".  You still need Javascript turned on -- sorry),

This all makes use of our long evolutionary history when possession was more 
like 99/100th of the law, and our even longer one for simply tracking the 
continuity of physical objects.  I feel a bit silly telling you all this -- 
Toontalk also leverages our evolutionary legacy at handling physical objects 
in order to make the abstract intuitive, and it does so to an 
extraordinarily greater extent than anything else I'm aware of.

So, I speculate that if we make our homes smart in the way you envision, and 
get rid of physical keys, that we'll instead have "physical" keys in the 
user interface to the software we use to tell homes who should be allowed 
in.  So now we've reduced our problem to a virtualized form of our 
original metaphor.  This could be promising.