[E-Lang] Promises, equality and trust
Fri, 27 Jul 2001 09:43:02 -0700
> -----Original Message-----
> From: Mark S. Miller [mailto:firstname.lastname@example.org]
> Sent: Friday, July 27, 2001 12:36 AM
> To: Mark Seaborn
> Cc: email@example.com
> Subject: Re: [E-Lang] Promises, equality and trust
> >Another concern I have: If Alice passes to Carol her
> reference to Bob,
> >Carol's vat will have to establish a connection to Bob's vat in order
> >to send messages to Bob (assuming all three live in different vats).
> >Assuming Bob and Bob's vat are in collusion, Bob will be able to
> >distinguish between messages from Alice and messages from Carol.
> >If Bob doesn't want Alice to delegate Bob's authority to Carol,
> >obviously Bob will not be able to stop this, but if Alice's default
> >behaviour is to leave Carol to establish a new connection with Bob,
> >Bob will be able to recognise this, and silently let Carol's
> >to Bob do something different to Alice's reference to Bob.
> >Should the default behaviour be to provide proxies to delegate
> >authority unless we explicitly trust vats to play nice and
> ensure that
> >a reference works the same regardless of what connection it is used
> >I'm assuming the network is not anonymous, which I think is
> >reasonable, but even if that's not the case, the
> >connection-orientedness of E's protocol could lead to different
> >behaviours of the same reference over different connections.
> Fascinating. What you're proposing is what E-Speak2.2
> planned to do: have
> the default case be not to shorten paths (the case actually
> and then have a path shortening Granovetter introduction be
> something a
> program can explicitly request (AFAIK, their plan for this
> was sound, but it
> never got implemented). I remember arguing with Alan over
> this years ago
> (remember Alan?), but yours is the first rationale for the
> E-Speak position
> I understand.
I remember, and you are correct that we never got around to implementing the
The ability to interpret the permissions differently for requests made along
different paths was part of our thinking. Alice can always act as a broker
between Bob and Carol by forwarding Bob's requests and Carol's replies. If
Alice doesn't want this role, she introduces Bob and Carol saying to Carol
"Here are the things I'll do on Bob's behalf. You might as well do them for
Bob directly." Carol can do that, of course, but she may decide to do more
or less for Bob depending on, say, his credit rating relative to Alice's.
Setting up this behavior was quite simple with because the capabilities were
given to Bob by Carol, not Alice.
> I still think default shortening is the right engineering
> decision, because
> the price of not shortening is too high, and the above price
> of shortening
> will IMO usually not be a practical issue. Note that the
> issue is only
> defaults. As in the planned E-Speak2.2, in E both are
> possible. It's just
> that the default is on the other foot. Alice can always
> easily introduce
> Bob to a forwarder for Carol running in VatA.
The no-introduction default made more sense in e-speak Beta 2.2, because
introduction carried a substantial overhead. I believe the introduction
default has less overhead in E than does setting up a forwarder.
> e-lang mailing list
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-3
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278