From: Mark Miller <>
Replying To: marcs <>
Date: Sun, 08 Dec 2002 15:05:05 -0800
Subject: [e-lang] Modelling Blindness (was: Naming Capability Systems)

I liked your message a lot, but I take exception to... 

At 02:38 PM 12/8/2002 Sunday, marcs wrote:
>[...] Object 
>capability system developers never learned anything from ambient authority 
>theoreticians because the object capability folks already had better answers. 
>Ambient authority theoreticians never learned anything from object capability 
>developers because, if they had, they would have stopped talking about 
>ambient authority systems. [...]

As Shap and I have both repeatedly pointed out in this discussion, there's 
nothing wrong with using an ambient authority model  (like SW) in order to an 
actual object capability system (like EROS), in order to reason about 
*certain aspects* of the modelled system. The problem occurs when these 
models are mistaken to be complete enough descriptions of the security 
properties of the actual systems that things impossible in the model, 
because they are outside the scope of the model, like deputies, are either 
assumed to be impossible in the actual system.

The other failure mode is that questions that cannot be asked using the 
concepts of the known models cease to be questions that one thinks to ask  
about actual systems -- such as questions about the confusability of deputies.

So the problem isn't the models. It's the "modelling blindness" that often 
follows exposure to a model.  (Is there already a well known term for this 
pathology?) shap

Text by me above is hereby placed in the public domain


e-lang mailing list