[E-Lang] Possession as Metaphor (was: Pet Extensions and such (was:
what is good about E?))
Mark S. Miller
Thu, 26 Jul 2001 09:20:03 -0700
At 04:19 PM Wednesday 7/25/01, Ken Kahn wrote:
>I was just thinking about how cars and homes with locks will be much more
>usable once they are smart enough to recognize people so you won't need keys
>(other than your hand, voice, or appearance).
When I first read this, it seemed sort of obviously true. Then, when I
tried to think about what this would mean, concretely, it led into a
fascinating rat's nest.
An obvious possible meaning of a key is "The means by which a resident of
the house may authenticate themselves to the house, so that they may enter."
Starting from this meaning, going to hand/voice/face recognition seems an
But what about the key I hand to a house guest? Or the one I gave my
housecleaners, who arrive on a regular schedule? And what's our user
interface for informing the house of a title transfer, and how does the
house know to believe us? Suddenly, our view of keys and locks changes from
"crude physical implementation of a security mechanism" to "imperfect but
simple and intuitive, distributed, physically embodied UI for representing
authorization decisions and their consequences". As MarcS explains in
Walnut http://www.skyhunter.com/marcs/ewalnut.html#SEC39 , keys are like
capabilities, and badges are like ACLs. Your hand/voice/face recognizing
house is obviously a badge system, and, if we're not careful, will
recapitulate all the problems of ACL systems.
To avoid these problems, we'd need a good UI to the house's security system,
such that changes in authorization to enter the house may reliably reflect
the intentions of those authorized to change such authorizations. Now we
are in the original domain, "Interaction Design from End User Security" as
Miriam and Ping put it. To only slightly rephrase their opening line:
>We introduce principles for usable security that aim to improve the match
>between users' expectations and house behavior. The scope of this paper is
>control by end users of rights to enter their own personal homes.
We started with an open and hard problem -- secure UI design. We tried to
make progress by use of analogy to a pre-existing system that works. We
then observed that this pre-existing system seems unnecessarily hard to use
because it predates computers. Surely modern computation could make it
easier? We have reduced our problem to itself! Have we made any progress?
Actually, I think we have. This tale should remind us of what was so
powerful about the EC Habitats user interface for security issues:
"physical" Possession as a Metaphor for holding rights, and "physical"
transfer (my Avatar hands a "physical" object to your Avatar) as a metaphor
for rights transfer. http://www.caplet.com/security/futurelaw/sld009.htm .
Likewise, in the chessboard analogy for smart contracts rights are turned
into "physical" game pieces that, at any time, are possessed either by a
player or by the board itself. (see
http://www.erights.org/talks/pisa/siframes.htm starting at "Contracts as
This all makes use of our long evolutionary history when possession was more
like 99/100th of the law, and our even longer one for simply tracking the
continuity of physical objects. I feel a bit silly telling you all this --
Toontalk also leverages our evolutionary legacy at handling physical objects
in order to make the abstract intuitive, and it does so to an
extraordinarily greater extent than anything else I'm aware of.
So, I speculate that if we make our homes smart in the way you envision, and
get rid of physical keys, that we'll instead have "physical" keys in the
user interface to the software we use to tell homes who should be allowed
in. So now we've reduced our problem to a virtualized form of our
original metaphor. This could be promising.