Re: brands v/s types Bill Frantz (frantz@netcom.com)
Wed, 18 Jun 1997 08:55:03 -0700

At 10:39 AM -0700 6/17/97, Jonathan S. Shapiro wrote:
>First, domains run quite happily without brands. Given this, the
>brand is merely a statement concerning the secrets held by the
>fabricator. This is in fact how it is used in KeyKOS. The brand
>serves as a quasi-alleged-type by virtue of the design of domain
>creators rather than by virtue of intrinsic properties of the brand.

Machine code runs quite happily without types too. Brands are a mechanism which allows 3rd party determination of type (and authenticity).

>> Should an object be able to change it's type?
>
>Personally, I believe that changing the brand should be highly
>restricted (read: not done). I can make a case for situations in which
>it is useful to do so:
>
>SmallTalk has a notion of "become" in which an object can perform an
>identity-preserving self-conversion into an object of some other
>type. I'm not sure that "become" is a good idea -- perhaps MarkM will
>have input -- but if we preserve the quasi-type quality of the brand
>it becomes necessary for a program to be able to alter it's brand.

What I don't have a good feel for is how it effects security assertions about the system. It seems to make sense from a language-type, don't plug the 12 volt plug into the wall socket point of view.

Some of the proposals seem to enlarge the 3rd party authenticity security kernel. Enlargement makes verification harder.

>> What happens if a program verifies the type of an object, and then
>> it is changed?
>
>If so, then the possible transformations were known to the verifier,
>since the program can only change its type by virtue of knowing its
>prior brand. It is then part of the type contract of the object that
>it is able to change its type.

I am mostly concerned with programs the violate their alleged contracts.\

>MarkM has proposed that there be some canonical way to ask a key to
>describe its protocol for purposes of dynamic binding. I'm inclined
>to agree with this, though it's not clear if it should be a
>semi-standard order code or by way of a type registry.

KeyKOS's "new command system" used the KT value (alleged type). But KeyKOS never claimed to provide type safety (at that level). The only claim for type safety was buried in the "offical" 3rd party verification concept. 

Bill Frantz       | The Internet was designed  | Periwinkle -- Consulting
(408)356-8506     | to protect the free world  | 16345 Englewood Ave.
frantz@netcom.com | from hostile governments.  | Los Gatos, CA 95032, USA