“Non-Delegatable Authorities in Capability Systems” is a curious paper that raises again something that I had thought was settled.
“Authority” is a slippery word.
I try and fail to be consistent in using it.
In the paper capabilities are referred to with the mass noun “authority” and the authors indeed examine again mechanisms admitting a property of a capability that prevents it from being sent to those to whom you hold capabilities.
The paper brings to mind thoughts I had many years ago when I rejected ideas from Hydra that limited such propagation.
I do not now remember the Hydra details.
The decision was by no means easy and I have no written record of the reasoning.
I do recall some of the considerations however.
Such design decisions always occur in a web of other design decisions and are made before the web is in clear view.
After the design is fixed the web of possibilities recedes from view, never having come into full view.
Papers such as this are thus useful, if irritating.
I present here a too naïve argument against NDA in the Keykos context.
I adopt the simplest axioms for capabilities and message passing that I know:
- If I hold capabilities A and B I ‘can choose’ to send A to B whereupon B will hold the capability.
(Of course B, according to its behavior, may refuse and immediately discard B.)
I raise this issue to broach the question “Do we need function in the basic message passing mechanism, or can we achive the results by creating a class of objects that we all trust to behave?”.
In other words can we agree to extend our trust of the platform, to the platform plus a few objects built thereupon?
In yet other words, must we distrust all code not in the kernel?
I defer that question.
I have a capability to a mutable object.
I trust the object to
This is in suspense just now as I am driven to this adventure.