RE: Thoughts on droplets -- users vs. programs Tyler Close (tjclose@yahoo.com)
Tue, 2 Nov 1999 10:41:13 -0800 (PST)

shapj wrote:
> Tyler, there are two basic and fundamental flaws
> in your argument about
> delegation. You state:

There is nothing 'basic and fundamental' about saying something hasn't been widely deployed and studied yet. You are overstating the power of your arguments.

> > The creator of an object receives the only
> capability for
> > that object.
>
> It is clear from context (your subsequent use of
> the pronoun "she" in
> reference to the creator) that by "creator" you
> mean a principal rather
> than a program. Your statement is therefore
> contrafactual for partitioned
> capability systems, and at best half true for
> encrypted capability systems
> (in that programs also receive the capability,
> and for that matter receive
> it before the principal does).

Are you making a deliberate attempt to confuse the discussion?

If the object creator is software running on a site not controlled by the principal/user, then my arguments apply equally well when thinking about the software as creator as when thinking about the principal/user as creator.

> The balance of your argument proceeds to make
> many tacit assumptions about
> the principal's ability to correctly understand
> the behavior of the
> programs that they execute.

No, my delegation argument does not even address this issue. Questions about the human usability of some piece of software are properly addressed at the higher level of application design. Solving problems at the wrong abstraction layer results in convoluted designs.

As I explained in the same email, creating proper rights distribution patterns are an issue of application design and user's judgement. To some extent, it is possible to trade better application design for less reliance on the user's judgement. A well designed application will make it as easy as possible for the user to apply sound judgement.

> These assumptions
> are unsupported by
> mathematics, and are contradicted by empirical
> observation in current
> systems. I am prepared to believe that this can
> be addressed by better
> system design, but the argument as given doesn't
> hold until such a design
> has been tested.

My delegation argument makes no such assumptions. You are the one confusing application design with the definition of security primitives.

As for my belief that more useable software can be created through better application design, I will use the entirety of the software engineering field as my test and proof.

Tyler


Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com