mirror of
https://gitlab.com/spritely/ocappub.git
synced 2024-11-22 21:23:02 +00:00
Switch Alyssa and Ben over to Alice and Bob
It makes me sad to drop the SICP characters, but it's consistent with the grannovetter diagram
This commit is contained in:
parent
1d826f33ed
commit
b7ce44cc04
242
README.org
242
README.org
@ -382,43 +382,43 @@ This does not mean that there aren't other layers where we can't
|
|||||||
prohibit such activity, but we shouldn't pretend we can prevent it
|
prohibit such activity, but we shouldn't pretend we can prevent it
|
||||||
at the protocol layer.
|
at the protocol layer.
|
||||||
|
|
||||||
For example, Alyssa may converse with her therapist over the
|
For example, Alice may converse with her therapist over the
|
||||||
protocol of sound wave vibrations (ie, simple human speech).
|
protocol of sound wave vibrations (ie, simple human speech).
|
||||||
Alyssa may be expressing information that is meant to be private,
|
Alice may be expressing information that is meant to be private,
|
||||||
but there is nothing about speech traveling through the air that
|
but there is nothing about speech traveling through the air that
|
||||||
prevents the therapist from breaking confidence and gossiping
|
prevents the therapist from breaking confidence and gossiping
|
||||||
about it to outside sources.
|
about it to outside sources.
|
||||||
But Alyssa could take her therapist to court, and her therapist could
|
But Alice could take her therapist to court, and her therapist could
|
||||||
lose her license.
|
lose her license.
|
||||||
But this is not on the protocol layer of ordinary human speech itself.
|
But this is not on the protocol layer of ordinary human speech itself.
|
||||||
Similarly, we could add a "please keep this private" flag to
|
Similarly, we could add a "please keep this private" flag to
|
||||||
ActivityPub messages so that Alyssa could tell Ben to please not
|
ActivityPub messages so that Alice could tell Bob to please not
|
||||||
share her secrets.
|
share her secrets.
|
||||||
Ben, being a good friend, will probably comply, and maybe his client
|
Bob, being a good friend, will probably comply, and maybe his client
|
||||||
will help him cooperate by default.
|
will help him cooperate by default.
|
||||||
But "please" or "request" is really key to our interface, since from
|
But "please" or "request" is really key to our interface, since from
|
||||||
a protocol perspective, there is no guarantee that Ben will comply.
|
a protocol perspective, there is no guarantee that Bob will comply.
|
||||||
However this does not mean there are no consequences for Ben if he
|
However this does not mean there are no consequences for Bob if he
|
||||||
betrays Alyssa's trust: Alyssa may stop being his friend, or at least
|
betrays Alice's trust: Alice may stop being his friend, or at least
|
||||||
unfollow him.
|
unfollow him.
|
||||||
|
|
||||||
Likewise, it is not possible to attach a protocol-enforceable "do not
|
Likewise, it is not possible to attach a protocol-enforceable "do not
|
||||||
delegate" flag onto any form of authority, whether it be an ocap or an
|
delegate" flag onto any form of authority, whether it be an ocap or an
|
||||||
ACL.
|
ACL.
|
||||||
If Alyssa tells Ben that Ben, and Ben alone, has been granted access to
|
If Alice tells Bob that Bob, and Bob alone, has been granted access to
|
||||||
this tool, we should realize that as long as Ben wants to cooperate
|
this tool, we should realize that as long as Bob wants to cooperate
|
||||||
with Mallet and has communication access to him, he can always set up
|
with Mallet and has communication access to him, he can always set up
|
||||||
a proxy that can forward requests to Alyssa's tool as if they were
|
a proxy that can forward requests to Alice's tool as if they were
|
||||||
Ben's.
|
Bob's.
|
||||||
|
|
||||||
We are not endorsing this, but we are acknowledging it.
|
We are not endorsing this, but we are acknowledging it.
|
||||||
Still, there is something we can do: we could wrap Ben's access to
|
Still, there is something we can do: we could wrap Bob's access to
|
||||||
Alyssa's tool in such a way that it logs that this is the capability
|
Alice's tool in such a way that it logs that this is the capability
|
||||||
Alyssa handed to Ben being invoked every time it is invoked, and
|
Alice handed to Bob being invoked every time it is invoked, and
|
||||||
disable access if it is misused... whether due to Ben's actions,
|
disable access if it is misused... whether due to Bob's actions,
|
||||||
or Mallet's.
|
or Mallet's.
|
||||||
In this way, even though Alyssa cannot prevent Ben from delegating
|
In this way, even though Alice cannot prevent Bob from delegating
|
||||||
authority, Alyssa can hold Ben accountable for the authority granted
|
authority, Alice can hold Bob accountable for the authority granted
|
||||||
to him.
|
to him.
|
||||||
|
|
||||||
If we do not take this approach, we expose our users to harm.
|
If we do not take this approach, we expose our users to harm.
|
||||||
@ -527,19 +527,19 @@ network effect of having this be the foundation is re-centralization.
|
|||||||
|
|
||||||
Furthermore, it doesn't even reflect human behavior; few people
|
Furthermore, it doesn't even reflect human behavior; few people
|
||||||
belong to only one community.
|
belong to only one community.
|
||||||
Alyssa may be a mathematics professor at work, a fanfiction author
|
Alice may be a mathematics professor at work, a fanfiction author
|
||||||
in her personal time, and a tabletop game enthusiast with her friends.
|
in her personal time, and a tabletop game enthusiast with her friends.
|
||||||
The behaviors that Alyssa exhibits and norms of what is considered
|
The behaviors that Alice exhibits and norms of what is considered
|
||||||
acceptable may shift radically in each of these communities, even if
|
acceptable may shift radically in each of these communities, even if
|
||||||
in all of these communities she is Alyssa.
|
in all of these communities she is Alice.
|
||||||
This isn't duplicitous behavior, this is normal human behavior,
|
This isn't duplicitous behavior, this is normal human behavior,
|
||||||
and if our systems don't allow for it, they aren't systems that
|
and if our systems don't allow for it, they aren't systems that
|
||||||
serve our users' needs.
|
serve our users' needs.
|
||||||
But consider also that Alyssa may have one email account, and yet may
|
But consider also that Alice may have one email account, and yet may
|
||||||
use it for all three of these different communities' email mailing
|
use it for all three of these different communities' email mailing
|
||||||
lists.
|
lists.
|
||||||
Those mailing lists may be all on different servers, and yet Alyssa
|
Those mailing lists may be all on different servers, and yet Alice
|
||||||
is able to be the right version of Alyssa for each of those communities
|
is able to be the right version of Alice for each of those communities
|
||||||
as she interacts with them.
|
as she interacts with them.
|
||||||
This seems to point at a mistake in assumptions about the federated
|
This seems to point at a mistake in assumptions about the federated
|
||||||
social web: the instance is not the community level, because users
|
social web: the instance is not the community level, because users
|
||||||
@ -692,45 +692,45 @@ We will get into the technicality of how to implement ocaps in
|
|||||||
|
|
||||||
The foundation of our system will rely on establishing trust between
|
The foundation of our system will rely on establishing trust between
|
||||||
two parties.
|
two parties.
|
||||||
If Alyssa trusts Carol to be able to perform an action, she might
|
If Alice trusts Carol to be able to perform an action, she might
|
||||||
"give consent" to Carol.
|
"give consent" to Carol.
|
||||||
However, giving consent to Carol is not necessarily permanent; Alyssa
|
However, giving consent to Carol is not necessarily permanent; Alice
|
||||||
has the tools to track abuse of her resources, and if she sees that
|
has the tools to track abuse of her resources, and if she sees that
|
||||||
Carol is irresponsible, she can revoke her consent to Carol.
|
Carol is irresponsible, she can revoke her consent to Carol.
|
||||||
(While Carol could have handed this authority to someone else, Alyssa
|
(While Carol could have handed this authority to someone else, Alice
|
||||||
would still see the abuse coming from the access she handed Carol,
|
would still see the abuse coming from the access she handed Carol,
|
||||||
and could still hold Carol responsible.)
|
and could still hold Carol responsible.)
|
||||||
|
|
||||||
What about users that do not yet trust each other?
|
What about users that do not yet trust each other?
|
||||||
If Alyssa does not yet know or trust Ben, it is up to Alyssa's default
|
If Alice does not yet know or trust Bob, it is up to Alice's default
|
||||||
settings as to whether or not Ben has any opportunity to message Alyssa.
|
settings as to whether or not Bob has any opportunity to message Alice.
|
||||||
Maybe Alyssa only gets messages from entities she has existing
|
Maybe Alice only gets messages from entities she has existing
|
||||||
relationships with.
|
relationships with.
|
||||||
|
|
||||||
However, it is possible that Alyssa could have a "default profile"
|
However, it is possible that Alice could have a "default profile"
|
||||||
that anyone can see, but which bears a cost to send a message through.
|
that anyone can see, but which bears a cost to send a message through.
|
||||||
Perhaps Ben can try to send a message, but it ends up in a moderator
|
Perhaps Bob can try to send a message, but it ends up in a moderator
|
||||||
queue.
|
queue.
|
||||||
Or, perhaps Ben can send Alyssa a message, but he must attach "two
|
Or, perhaps Bob can send Alice a message, but he must attach "two
|
||||||
postage stamps" to the message.
|
postage stamps" to the message.
|
||||||
In this case, if the message was nice, Alyssa might refund Ben one
|
In this case, if the message was nice, Alice might refund Bob one
|
||||||
or both stamps.
|
or both stamps.
|
||||||
She might even decide to hand him the authority to send messages to
|
She might even decide to hand him the authority to send messages to
|
||||||
her in the future, for free.
|
her in the future, for free.
|
||||||
|
|
||||||
But say Ben is a spammer and is sending a Viagra ad; Alyssa can keep
|
But say Bob is a spammer and is sending a Viagra ad; Alice can keep
|
||||||
the stamps.
|
the stamps.
|
||||||
Now Ben has to "pay" Alyssa to be spammed (and depending on how we
|
Now Bob has to "pay" Alice to be spammed (and depending on how we
|
||||||
decide to implement it, Alyssa might be able to keep this payment).
|
decide to implement it, Alice might be able to keep this payment).
|
||||||
There is always a cost to unwanted messages, but in our current
|
There is always a cost to unwanted messages, but in our current
|
||||||
systems the costs lie on the side of the receiver, not the sender.
|
systems the costs lie on the side of the receiver, not the sender.
|
||||||
We can shift that dynamic for unestablished relationships.
|
We can shift that dynamic for unestablished relationships.
|
||||||
And critically, it is up to Alyssa to decide her threshold: if she is
|
And critically, it is up to Alice to decide her threshold: if she is
|
||||||
receiving abusive messages, she can up the number of stamps required,
|
receiving abusive messages, she can up the number of stamps required,
|
||||||
disable her public inbox entirely, or hand over moderation to a
|
disable her public inbox entirely, or hand over moderation to a
|
||||||
trusted party during a particularly difficult period.
|
trusted party during a particularly difficult period.
|
||||||
But even if she disables her inbox, the parties which have existing
|
But even if she disables her inbox, the parties which have existing
|
||||||
trust relationships with Alyssa can still message her at no cost.
|
trust relationships with Alice can still message her at no cost.
|
||||||
|
|
||||||
While we do not claim that we can fully model a system of consent in
|
While we do not claim that we can fully model a system of consent in
|
||||||
this system, we can provide the
|
this system, we can provide the
|
||||||
@ -800,28 +800,28 @@ some interesting things we could do:
|
|||||||
construct and hand the valet a "valet key" that only permits
|
construct and hand the valet a "valet key" that only permits
|
||||||
driving five miles and won't open the glove box or trunk.
|
driving five miles and won't open the glove box or trunk.
|
||||||
Sorry kid, you're not getting a joy ride this time.
|
Sorry kid, you're not getting a joy ride this time.
|
||||||
- *revocation*: Let's say that Alyssa wants to allow her roommate
|
- *revocation*: Let's say that Alice wants to allow her roommate
|
||||||
Ben to drive her car, but she also wants to be able to take away
|
Bob to drive her car, but she also wants to be able to take away
|
||||||
that right if Ben misuses it or if they stop being roommates.
|
that right if Bob misuses it or if they stop being roommates.
|
||||||
Alyssa can make a new car key that has a wire inside of it;
|
Alice can make a new car key that has a wire inside of it;
|
||||||
Alyssa holds onto a device where if she presses the button, the
|
Alice holds onto a device where if she presses the button, the
|
||||||
key "self destructs" (ie the wire melts).
|
key "self destructs" (ie the wire melts).
|
||||||
Now Alyssa can stop Ben from being able to drive the car if she
|
Now Alice can stop Bob from being able to drive the car if she
|
||||||
wants to (and if she does, it'll also disable access to anyone
|
wants to (and if she does, it'll also disable access to anyone
|
||||||
else Ben has delegated a key to).
|
else Bob has delegated a key to).
|
||||||
- *accountability*: Alyssa has multiple roommates, and while she would
|
- *accountability*: Alice has multiple roommates, and while she would
|
||||||
like to allow them all to drive her car, the next time someone
|
like to allow them all to drive her car, the next time someone
|
||||||
spills a drink in the car and doesn't clean it up, she wants to know
|
spills a drink in the car and doesn't clean it up, she wants to know
|
||||||
who to blame by seeing who drove the car last.
|
who to blame by seeing who drove the car last.
|
||||||
Alyssa can achieve this via *composition*: she installs a separate
|
Alice can achieve this via *composition*: she installs a separate
|
||||||
"logging" panel into the dashboard of her car, to which she has the
|
"logging" panel into the dashboard of her car, to which she has the
|
||||||
capability to view the logs.
|
capability to view the logs.
|
||||||
Next, for the keys that she hands her roommates, she composes together
|
Next, for the keys that she hands her roommates, she composes together
|
||||||
access to drive the car with the logging service and associates each
|
access to drive the car with the logging service and associates each
|
||||||
key with her roommate's name.
|
key with her roommate's name.
|
||||||
Now each time one of her roommates uses one of these keys, the logging
|
Now each time one of her roommates uses one of these keys, the logging
|
||||||
console (which only Alyssa has access to) takes note of the associated
|
console (which only Alice has access to) takes note of the associated
|
||||||
name, so Alyssa can check who left a mess last.
|
name, so Alice can check who left a mess last.
|
||||||
|
|
||||||
You may have noticed that as we went further in the examples, the
|
You may have noticed that as we went further in the examples, the
|
||||||
ability to construct such rich capabilities on the fly seemed less
|
ability to construct such rich capabilities on the fly seemed less
|
||||||
@ -912,8 +912,8 @@ whenever we need them... authority can be handed over "just in time".
|
|||||||
|
|
||||||
This is less surprising if we consider the way passing around ocap
|
This is less surprising if we consider the way passing around ocap
|
||||||
references resembles the way people develop social relationships.
|
references resembles the way people develop social relationships.
|
||||||
If Alyssa knows Ben and Alyssa knows Carol, Alyssa might decide it is
|
If Alice knows Bob and Alice knows Carol, Alice might decide it is
|
||||||
useful to introduce Ben to Carol.
|
useful to introduce Bob to Carol.
|
||||||
We see this all the time with the way people exchange phone numbers
|
We see this all the time with the way people exchange phone numbers
|
||||||
today.
|
today.
|
||||||
"Oh, you really ought to meet Carol! Hold on, let me give you her
|
"Oh, you really ought to meet Carol! Hold on, let me give you her
|
||||||
@ -935,8 +935,8 @@ transaction infrastructure, can be modeled on ocaps).
|
|||||||
In this paper "Granovetter Diagrams" such as the above are introduced,
|
In this paper "Granovetter Diagrams" such as the above are introduced,
|
||||||
showing how ocaps flow through a system by social introductions.
|
showing how ocaps flow through a system by social introductions.
|
||||||
In fact the above diagram is pretty much exactly the same as our phone
|
In fact the above diagram is pretty much exactly the same as our phone
|
||||||
number exchange... "Alyssa is sending Ben the message =foo=, which
|
number exchange... "Alice is sending Bob the message =foo=, which
|
||||||
contains a reference to Carol, and now Ben has been introduced to /
|
contains a reference to Carol, and now Bob has been introduced to /
|
||||||
has access to Carol."
|
has access to Carol."
|
||||||
|
|
||||||
It turns out that Granovetter Diagrams have their origin in sociology,
|
It turns out that Granovetter Diagrams have their origin in sociology,
|
||||||
@ -1091,52 +1091,52 @@ not shown.)
|
|||||||
|
|
||||||
#+BEGIN_SRC javascript
|
#+BEGIN_SRC javascript
|
||||||
{"@type": "Create",
|
{"@type": "Create",
|
||||||
"actor": "https://chatty.example/ben/",
|
"actor": "https://chatty.example/bob/",
|
||||||
"to": ["https://chatty.example/ben/followers"],
|
"to": ["https://chatty.example/bob/followers"],
|
||||||
"object": {
|
"object": {
|
||||||
"@id": "https://chatty.example/obj/fQFWD9bZf1GKc3E09gt8W4MlChVxoiMAjgzhqxP9KhE",
|
"@id": "https://chatty.example/obj/fQFWD9bZf1GKc3E09gt8W4MlChVxoiMAjgzhqxP9KhE",
|
||||||
"@type": "Note",
|
"@type": "Note",
|
||||||
"attributedTo": "https://chatty.example/ben/",
|
"attributedTo": "https://chatty.example/bob/",
|
||||||
"content": "Hello, fediverse! I'm new here. Who should I be chatting with?"}}
|
"content": "Hello, fediverse! I'm new here. Who should I be chatting with?"}}
|
||||||
#+END_SRC
|
#+END_SRC
|
||||||
|
|
||||||
There is no way to retrieve this object unless you know its address,
|
There is no way to retrieve this object unless you know its address,
|
||||||
but knowing its address allows you to see/refer to it, not unlike the
|
but knowing its address allows you to see/refer to it, not unlike the
|
||||||
Google Docs example we referred to earlier.
|
Google Docs example we referred to earlier.
|
||||||
Ben distributes this message to his local friend group of Alyssa and
|
Bob distributes this message to his local friend group of Alice and
|
||||||
Lem.
|
Lem.
|
||||||
|
|
||||||
Alyssa thinks that Ben would like to meet her friends and composes
|
Alice thinks that Bob would like to meet her friends and composes
|
||||||
a reply which refers to his message.
|
a reply which refers to his message.
|
||||||
|
|
||||||
#+BEGIN_SRC javascript
|
#+BEGIN_SRC javascript
|
||||||
{"@type": "Create",
|
{"@type": "Create",
|
||||||
"actor": "https://social.example/alyssa/",
|
"actor": "https://social.example/alice/",
|
||||||
"to": ["https://social.example/alyssa/collections/my-friends"],
|
"to": ["https://social.example/alice/collections/my-friends"],
|
||||||
"object": {
|
"object": {
|
||||||
"@id": "https://social.example/obj/Aj1k_Phx4uAgCXOMZ7KP9omJXXnOUySlhP-WXYE0obw",
|
"@id": "https://social.example/obj/Aj1k_Phx4uAgCXOMZ7KP9omJXXnOUySlhP-WXYE0obw",
|
||||||
"@type": "Note",
|
"@type": "Note",
|
||||||
"attributedTo": "https://social.example/alyssa/",
|
"attributedTo": "https://social.example/alice/",
|
||||||
"inReplyTo": "https://chatty.example/obj/fQFWD9bZf1GKc3E09gt8W4MlChVxoiMAjgzhqxP9KhE",
|
"inReplyTo": "https://chatty.example/obj/fQFWD9bZf1GKc3E09gt8W4MlChVxoiMAjgzhqxP9KhE",
|
||||||
"content": "Hey Ben!! Welcome to the network. I want to introduce you to my friends."}}
|
"content": "Hey Bob!! Welcome to the network. I want to introduce you to my friends."}}
|
||||||
#+END_SRC
|
#+END_SRC
|
||||||
|
|
||||||
In the former message, Ben shared his message amongst his followers
|
In the former message, Bob shared his message amongst his followers
|
||||||
(which maybe he curates).
|
(which maybe he curates).
|
||||||
In the latter message, Alyssa sent her message, which also provided
|
In the latter message, Alice sent her message, which also provided
|
||||||
a path to Ben's, amongst her friends, encouraging people she knows
|
a path to Bob's, amongst her friends, encouraging people she knows
|
||||||
to establish a social connection with Ben.
|
to establish a social connection with Bob.
|
||||||
Alyssa and Ben were able to coordinate to spread this communication
|
Alice and Bob were able to coordinate to spread this communication
|
||||||
amongst people they trust, but it is not spread further than to
|
amongst people they trust, but it is not spread further than to
|
||||||
anyone who is explicitly handed access.
|
anyone who is explicitly handed access.
|
||||||
(It's possible that someone can share the information when Ben or Alyssa
|
(It's possible that someone can share the information when Bob or Alice
|
||||||
asked them not to;
|
asked them not to;
|
||||||
|
|
||||||
|
|
||||||
This is mildly interesting, but things get much more interesting when
|
This is mildly interesting, but things get much more interesting when
|
||||||
we realize that inboxes can also themselves be capabilities.
|
we realize that inboxes can also themselves be capabilities.
|
||||||
|
|
||||||
Alyssa is a member of a group of pixel art enthusiasts.
|
Alice is a member of a group of pixel art enthusiasts.
|
||||||
|
|
||||||
#+BEGIN_SRC javascript
|
#+BEGIN_SRC javascript
|
||||||
{"@type": "Group",
|
{"@type": "Group",
|
||||||
@ -1150,25 +1150,25 @@ This pixel art enthusiast group has a public page that anyone can
|
|||||||
view at =https://groupchats.example/group/public/pixel-artists=.
|
view at =https://groupchats.example/group/public/pixel-artists=.
|
||||||
However, not everyone who can see that URL has the authority to
|
However, not everyone who can see that URL has the authority to
|
||||||
post to the group.
|
post to the group.
|
||||||
At present, Alyssa has the authority to make posts to this group,
|
At present, Alice has the authority to make posts to this group,
|
||||||
which automatically disseminates them to all members.
|
which automatically disseminates them to all members.
|
||||||
However, Alyssa cannot moderate the group (including its membership
|
However, Alice cannot moderate the group (including its membership
|
||||||
list).
|
list).
|
||||||
She has limited access.
|
She has limited access.
|
||||||
|
|
||||||
We will worry about how the limited access is accomplished in a
|
We will worry about how the limited access is accomplished in a
|
||||||
moment, but for the moment we can say that Alyssa posting to the
|
moment, but for the moment we can say that Alice posting to the
|
||||||
group is as simple as referencing its =@id=:
|
group is as simple as referencing its =@id=:
|
||||||
|
|
||||||
#+BEGIN_SRC javascript
|
#+BEGIN_SRC javascript
|
||||||
{"@type": "Create",
|
{"@type": "Create",
|
||||||
// this is the @id of the above referenced Group object
|
// this is the @id of the above referenced Group object
|
||||||
"to": ["bear:?u=https://groupchats.example/group&t=eQshu8RiJ-9ozh2GKRATXN5-J6dcBVf_AYSMrJ6UEzE"],
|
"to": ["bear:?u=https://groupchats.example/group&t=eQshu8RiJ-9ozh2GKRATXN5-J6dcBVf_AYSMrJ6UEzE"],
|
||||||
"actor": "https://social.example/alyssa/",
|
"actor": "https://social.example/alice/",
|
||||||
"object": {
|
"object": {
|
||||||
"@id": "https://social.example/obj/cdWg7wv1mjrNf0C3vcxCjzPy3Z9tturSBv9_Ew8qe7E",
|
"@id": "https://social.example/obj/cdWg7wv1mjrNf0C3vcxCjzPy3Z9tturSBv9_Ew8qe7E",
|
||||||
"@type": "Note",
|
"@type": "Note",
|
||||||
"attributedTo": "https://social.example/alyssa/",
|
"attributedTo": "https://social.example/alice/",
|
||||||
"content": "Anyone tried out libresprite? I hear it's a fork of the old FOSS branch of aesprite."}}
|
"content": "Anyone tried out libresprite? I hear it's a fork of the old FOSS branch of aesprite."}}
|
||||||
#+END_SRC
|
#+END_SRC
|
||||||
|
|
||||||
@ -1176,11 +1176,11 @@ Now the group can forward this message to its subscribers.
|
|||||||
|
|
||||||
Here's the interesting aspects of this:
|
Here's the interesting aspects of this:
|
||||||
|
|
||||||
- Alyssa's access to write to the group can be unique to her. We'll
|
- Alice's access to write to the group can be unique to her. We'll
|
||||||
see how this can happen in the next section. This means that it's
|
see how this can happen in the next section. This means that it's
|
||||||
also easy for the list administrator to unsubscribe her: they can
|
also easy for the list administrator to unsubscribe her: they can
|
||||||
just revoke the capability.
|
just revoke the capability.
|
||||||
- As said before, the capability Alyssa has here only allows her to
|
- As said before, the capability Alice has here only allows her to
|
||||||
post messages, not do moderation.
|
post messages, not do moderation.
|
||||||
- !Each subscriber on the group has given the group a specific
|
- !Each subscriber on the group has given the group a specific
|
||||||
capability for their subscription. That means that the messages
|
capability for their subscription. That means that the messages
|
||||||
@ -1191,7 +1191,7 @@ Here's the interesting aspects of this:
|
|||||||
** Adding attenuation, revocation, accountability, and composition
|
** Adding attenuation, revocation, accountability, and composition
|
||||||
|
|
||||||
That's all good and well, but even reading the above might hint that
|
That's all good and well, but even reading the above might hint that
|
||||||
we are missing some things. *How* is Alyssa's capability limited to
|
we are missing some things. *How* is Alice's capability limited to
|
||||||
posting but not administrating? *How* can both the susbscribers and
|
posting but not administrating? *How* can both the susbscribers and
|
||||||
the servers both know where messages are "coming from" / hold them
|
the servers both know where messages are "coming from" / hold them
|
||||||
accountable, and also have the power of revocation?
|
accountable, and also have the power of revocation?
|
||||||
@ -1209,7 +1209,7 @@ How about the rest?
|
|||||||
It turns out that one abstraction gives us all the power we need:
|
It turns out that one abstraction gives us all the power we need:
|
||||||
simple, humble, everyday proxies.
|
simple, humble, everyday proxies.
|
||||||
|
|
||||||
Let's say Alyssa has a file on a file storage server corresponding to a
|
Let's say Alice has a file on a file storage server corresponding to a
|
||||||
list of people she would like to invite to a party.
|
list of people she would like to invite to a party.
|
||||||
It is going to be an enormous birthday bash, so she decides she needs
|
It is going to be an enormous birthday bash, so she decides she needs
|
||||||
to keep track of the participants:
|
to keep track of the participants:
|
||||||
@ -1227,12 +1227,12 @@ This file object can accept any of the following two methods:
|
|||||||
- *=READ=*: Allows you to see who is currently on the list.
|
- *=READ=*: Allows you to see who is currently on the list.
|
||||||
- *=WRITE=*: Allows you to completely replace the file.
|
- *=WRITE=*: Allows you to completely replace the file.
|
||||||
|
|
||||||
Alyssa would like to give Ben, Carol, and Lem access to see who is
|
Alice would like to give Bob, Carol, and Lem access to see who is
|
||||||
on the list, but not to modify the list.
|
on the list, but not to modify the list.
|
||||||
"If you want someone added to the list, you can call me up and
|
"If you want someone added to the list, you can call me up and
|
||||||
ask me to add them, but for now I'll just give you read access."
|
ask me to add them, but for now I'll just give you read access."
|
||||||
|
|
||||||
She makes separate read-only capabilities to give to Ben and Carol.
|
She makes separate read-only capabilities to give to Bob and Carol.
|
||||||
These have the following addresses:
|
These have the following addresses:
|
||||||
|
|
||||||
: # aka <PARTY-FILE-READ-ONLY-1>
|
: # aka <PARTY-FILE-READ-ONLY-1>
|
||||||
@ -1240,11 +1240,11 @@ These have the following addresses:
|
|||||||
: # aka <PARTY-FILE-READ-ONLY-2>
|
: # aka <PARTY-FILE-READ-ONLY-2>
|
||||||
: https://filestore.example/obj/DV9E9-jJaX7wFXtQuRMl1m_91d502cv-_5LX8F-GTn8
|
: https://filestore.example/obj/DV9E9-jJaX7wFXtQuRMl1m_91d502cv-_5LX8F-GTn8
|
||||||
|
|
||||||
She hands these out to Ben and Carol respectively.
|
She hands these out to Bob and Carol respectively.
|
||||||
|
|
||||||
Now Ben tries making a =READ= request against =<PARTY-FILE-READ-ONLY-1>=.
|
Now Bob tries making a =READ= request against =<PARTY-FILE-READ-ONLY-1>=.
|
||||||
It works!
|
It works!
|
||||||
Ben sees that one of his friends isn't on the list yet, so he tries
|
Bob sees that one of his friends isn't on the list yet, so he tries
|
||||||
to =WRITE= a new copy of the file that has them listed.
|
to =WRITE= a new copy of the file that has them listed.
|
||||||
Except that this time it throws an error.
|
Except that this time it throws an error.
|
||||||
How?
|
How?
|
||||||
@ -1258,15 +1258,15 @@ Due to the nature of object capabilities, this works!
|
|||||||
Proxies turned out to be all that was necessary to add this
|
Proxies turned out to be all that was necessary to add this
|
||||||
restriction on use.
|
restriction on use.
|
||||||
|
|
||||||
Ben calls up Alyssa and tells her that he appreciates that she wants to
|
Bob calls up Alice and tells her that he appreciates that she wants to
|
||||||
maintain the list, but he has a lot of ideas for people to add, couldn't
|
maintain the list, but he has a lot of ideas for people to add, couldn't
|
||||||
he please write to the file?
|
he please write to the file?
|
||||||
Alyssa decides that she completely trusts Ben to add new people to the list
|
Alice decides that she completely trusts Bob to add new people to the list
|
||||||
but he has a bad habit of highlighting text while reading it and accidentally
|
but he has a bad habit of highlighting text while reading it and accidentally
|
||||||
deleting information.
|
deleting information.
|
||||||
But adding lines? That seems ok.
|
But adding lines? That seems ok.
|
||||||
|
|
||||||
Alyssa makes a new proxy to give to Ben:
|
Alice makes a new proxy to give to Bob:
|
||||||
|
|
||||||
: # aka <PARTY-FILE-READ-AND-APPEND-1>
|
: # aka <PARTY-FILE-READ-AND-APPEND-1>
|
||||||
: https://filestore.example/obj/VhCCn5LjHKhDny50BIwCU8joyUgKyFIursNhfSgl1SY
|
: https://filestore.example/obj/VhCCn5LjHKhDny50BIwCU8joyUgKyFIursNhfSgl1SY
|
||||||
@ -1274,15 +1274,15 @@ Alyssa makes a new proxy to give to Ben:
|
|||||||
This new proxy has a =READ= method along with a brand new method that
|
This new proxy has a =READ= method along with a brand new method that
|
||||||
didn't even exist on the original object called =APPEND= which accepts
|
didn't even exist on the original object called =APPEND= which accepts
|
||||||
as an argument a single line to add to the file.
|
as an argument a single line to add to the file.
|
||||||
It was easy for Alyssa to build this: =APPEND= first does a =READ= against
|
It was easy for Alice to build this: =APPEND= first does a =READ= against
|
||||||
=<PARTY-FILE>=, adds the line to those contents, and does a =WRITE= of the
|
=<PARTY-FILE>=, adds the line to those contents, and does a =WRITE= of the
|
||||||
new version.
|
new version.
|
||||||
Now Ben can =APPEND= as many guests as he wants, but there's no risk of
|
Now Bob can =APPEND= as many guests as he wants, but there's no risk of
|
||||||
him deleting the current attendees.
|
him deleting the current attendees.
|
||||||
|
|
||||||
Carol hears of Ben's ability to append guests and is jealous.
|
Carol hears of Bob's ability to append guests and is jealous.
|
||||||
She calls up Alyssa and says, can't I get access to =APPEND= also?
|
She calls up Alice and says, can't I get access to =APPEND= also?
|
||||||
Alyssa trusts Ben to keep the number of guests he added within reason
|
Alice trusts Bob to keep the number of guests he added within reason
|
||||||
but she's not so sure about Carol.
|
but she's not so sure about Carol.
|
||||||
She decides to make a new capability to give to Carol:
|
She decides to make a new capability to give to Carol:
|
||||||
|
|
||||||
@ -1290,7 +1290,7 @@ She decides to make a new capability to give to Carol:
|
|||||||
: https://filestore.example/obj/NSgn-DCUlbpe7DWTWipF92K09WFdfknYCpJnal0SgoQ
|
: https://filestore.example/obj/NSgn-DCUlbpe7DWTWipF92K09WFdfknYCpJnal0SgoQ
|
||||||
|
|
||||||
This supports the same kind of =APPEND= method interface as the
|
This supports the same kind of =APPEND= method interface as the
|
||||||
=<PARTY-FILE-READ-AND-APPEND-1>= that Alyssa gave Ben, but it has a new
|
=<PARTY-FILE-READ-AND-APPEND-1>= that Alice gave Bob, but it has a new
|
||||||
restriction: this version of =APPEND= keeps track of an integer, the number
|
restriction: this version of =APPEND= keeps track of an integer, the number
|
||||||
of guests added through that capability.
|
of guests added through that capability.
|
||||||
Once three guests have been added, it will refuse to allow any more
|
Once three guests have been added, it will refuse to allow any more
|
||||||
@ -1303,9 +1303,9 @@ proxies just yet!
|
|||||||
|
|
||||||
**** Revocation
|
**** Revocation
|
||||||
|
|
||||||
Alyssa is up working late assembling the list when she gets a call from
|
Alice is up working late assembling the list when she gets a call from
|
||||||
Lem offering to help add people to the list.
|
Lem offering to help add people to the list.
|
||||||
Alyssa is very tired and says you know what, sure.
|
Alice is very tired and says you know what, sure.
|
||||||
She gives Lem the capability =<PARTY-FILE-READ-AND-APPEND-2>= and goes
|
She gives Lem the capability =<PARTY-FILE-READ-AND-APPEND-2>= and goes
|
||||||
off to bed.
|
off to bed.
|
||||||
|
|
||||||
@ -1313,20 +1313,20 @@ She wakes up the next morning and the file is filled with all sorts of
|
|||||||
nonsense attendees... most of them don't even have plausible sounding
|
nonsense attendees... most of them don't even have plausible sounding
|
||||||
names!
|
names!
|
||||||
|
|
||||||
It's so many additions that Alyssa knows at least that it couldn't have
|
It's so many additions that Alice knows at least that it couldn't have
|
||||||
been Carol; there were far more than 3 additions to this file.
|
been Carol; there were far more than 3 additions to this file.
|
||||||
It must have been Ben or Lem.
|
It must have been Bob or Lem.
|
||||||
She calls both up in frustration.
|
She calls both up in frustration.
|
||||||
Both swear they didn't do it!
|
Both swear they didn't do it!
|
||||||
Alyssa decides she doesn't have patience or time for this nonsense and
|
Alice decides she doesn't have patience or time for this nonsense and
|
||||||
decides to cut off access before things get any worse.
|
decides to cut off access before things get any worse.
|
||||||
|
|
||||||
Luckily she's well equipped to do so.
|
Luckily she's well equipped to do so.
|
||||||
We left out a detail when we mentioned the previous capabilities that
|
We left out a detail when we mentioned the previous capabilities that
|
||||||
Alyssa handed out... each one of them has an internal switch that can
|
Alice handed out... each one of them has an internal switch that can
|
||||||
be flipped (or, set a flag), at which point they will refuse to
|
be flipped (or, set a flag), at which point they will refuse to
|
||||||
forward messages anymore.
|
forward messages anymore.
|
||||||
And the power to flip this switch is held by Alyssa and Alyssa alone:
|
And the power to flip this switch is held by Alice and Alice alone:
|
||||||
|
|
||||||
: # aka <REVOKE-PARTY-FILE-READ-AND-APPEND-1>,
|
: # aka <REVOKE-PARTY-FILE-READ-AND-APPEND-1>,
|
||||||
: # has the power to set revocation flag of <PARTY-FILE-READ-AND-APPEND-1>
|
: # has the power to set revocation flag of <PARTY-FILE-READ-AND-APPEND-1>
|
||||||
@ -1335,38 +1335,38 @@ And the power to flip this switch is held by Alyssa and Alyssa alone:
|
|||||||
: # has the power to set revocation flag of <PARTY-FILE-READ-AND-APPEND-2>
|
: # has the power to set revocation flag of <PARTY-FILE-READ-AND-APPEND-2>
|
||||||
: https://filestore.example/obj/trOC_8Ozfe1KxR8ZC32WcF_edk6dx3826uKslKdxvNI
|
: https://filestore.example/obj/trOC_8Ozfe1KxR8ZC32WcF_edk6dx3826uKslKdxvNI
|
||||||
|
|
||||||
Alyssa invokes both of them and poof!
|
Alice invokes both of them and poof!
|
||||||
The corresponding revocation flags are set.
|
The corresponding revocation flags are set.
|
||||||
=<PARTY-FILE-READ-AND-APPEND-1>= and =<PARTY-FILE-READ-AND-APPEND-2>=
|
=<PARTY-FILE-READ-AND-APPEND-1>= and =<PARTY-FILE-READ-AND-APPEND-2>=
|
||||||
now both refuse to forward messages.
|
now both refuse to forward messages.
|
||||||
|
|
||||||
**** Accountability
|
**** Accountability
|
||||||
|
|
||||||
Both Ben and Lem contact Alyssa and insist neither of them made those
|
Both Bob and Lem contact Alice and insist neither of them made those
|
||||||
edits to the document.
|
edits to the document.
|
||||||
Couldn't they please get access again to write to the file?
|
Couldn't they please get access again to write to the file?
|
||||||
|
|
||||||
That evening, Alyssa thinks about it and decides that yes, she could,
|
That evening, Alice thinks about it and decides that yes, she could,
|
||||||
if next time she could hold whoever did it accountable so she could
|
if next time she could hold whoever did it accountable so she could
|
||||||
prevent the problem from happening again and know who violated her
|
prevent the problem from happening again and know who violated her
|
||||||
trust.
|
trust.
|
||||||
|
|
||||||
Alyssa makes two new capabilities, but these ones are a little bit
|
Alice makes two new capabilities, but these ones are a little bit
|
||||||
different than before: while both allow writing to the file, this time
|
different than before: while both allow writing to the file, this time
|
||||||
she associates each one with the name of the person she is handing it
|
she associates each one with the name of the person she is handing it
|
||||||
out to.
|
out to.
|
||||||
Now if Bob writes to the file, it's logged that Bob made this change,
|
Now if Bob writes to the file, it's logged that Bob made this change,
|
||||||
and if Lem writes to the file, it's logged that Lem made this change.
|
and if Lem writes to the file, it's logged that Lem made this change.
|
||||||
Alyssa hands out these new write-capable-but-logging ocaps to Bob and
|
Alice hands out these new write-capable-but-logging ocaps to Bob and
|
||||||
Lem and logs off for the evening.
|
Lem and logs off for the evening.
|
||||||
|
|
||||||
The next morning, the file is defaced again.
|
The next morning, the file is defaced again.
|
||||||
But the logger picks it up: Lem made all these changes!
|
But the logger picks it up: Lem made all these changes!
|
||||||
Alyssa revokes the capability she gave to Lem and gives him a call
|
Alice revokes the capability she gave to Lem and gives him a call
|
||||||
on the phone.
|
on the phone.
|
||||||
|
|
||||||
Lem swears, he really didn't make these changes!
|
Lem swears, he really didn't make these changes!
|
||||||
Alyssa shows him her evidence, and Lem thinks about it.
|
Alice shows him her evidence, and Lem thinks about it.
|
||||||
Well... Lem is really sure that he didn't make those changes, but
|
Well... Lem is really sure that he didn't make those changes, but
|
||||||
he knows that Mallet wanted access to the file.
|
he knows that Mallet wanted access to the file.
|
||||||
It could be that Mallet asked him for it when they went out
|
It could be that Mallet asked him for it when they went out
|
||||||
@ -1375,13 +1375,13 @@ that opportunity to insert a backdoor into his device.
|
|||||||
Lem really isn't sure, but insists that /he/ is not the one that did
|
Lem really isn't sure, but insists that /he/ is not the one that did
|
||||||
it.
|
it.
|
||||||
|
|
||||||
Alyssa trusts Lem enough as a person (but not as a person who
|
Alice trusts Lem enough as a person (but not as a person who
|
||||||
practices good security hygeine), and distrusts Mallet enough, that
|
practices good security hygeine), and distrusts Mallet enough, that
|
||||||
she finds this story plausible.
|
she finds this story plausible.
|
||||||
Still she considers with satisfaction that placing the blame "on the
|
Still she considers with satisfaction that placing the blame "on the
|
||||||
capability she gave to Lem", whether or not it was Lem that did it,
|
capability she gave to Lem", whether or not it was Lem that did it,
|
||||||
was what she really needed to get to the bottom of the situation.
|
was what she really needed to get to the bottom of the situation.
|
||||||
"For now, you can email me suggestions," Alyssa tells Lem.
|
"For now, you can email me suggestions," Alice tells Lem.
|
||||||
"But the next time you want to collaborate on a document, make sure
|
"But the next time you want to collaborate on a document, make sure
|
||||||
you're more careful with your authority.
|
you're more careful with your authority.
|
||||||
And if you're not sure whether Mallet might have a backdoor in your
|
And if you're not sure whether Mallet might have a backdoor in your
|
||||||
@ -1396,56 +1396,56 @@ tonight.
|
|||||||
# live on her own server
|
# live on her own server
|
||||||
|
|
||||||
One thing we might notice about the previous example is that we said
|
One thing we might notice about the previous example is that we said
|
||||||
that Alyssa set up the endpoint pointed by the capability to "log"
|
that Alice set up the endpoint pointed by the capability to "log"
|
||||||
information about who was associated with it.
|
information about who was associated with it.
|
||||||
But... where did the logger come from?
|
But... where did the logger come from?
|
||||||
The file did not contain this functionality, and capabilities
|
The file did not contain this functionality, and capabilities
|
||||||
themselves do not intrinsically have logging functionality.
|
themselves do not intrinsically have logging functionality.
|
||||||
|
|
||||||
The answer is: Alyssa had a capability to a logging facility, and used
|
The answer is: Alice had a capability to a logging facility, and used
|
||||||
that to do the logging!
|
that to do the logging!
|
||||||
But what's interesting about that?
|
But what's interesting about that?
|
||||||
Think about it for a moment: the capability is now doing something more
|
Think about it for a moment: the capability is now doing something more
|
||||||
interesting than mere "proxying".
|
interesting than mere "proxying".
|
||||||
It isn't merely forwarding or not a message to a single capability...
|
It isn't merely forwarding or not a message to a single capability...
|
||||||
Alyssa has *composed together* the file capability with the logging
|
Alice has *composed together* the file capability with the logging
|
||||||
capability.
|
capability.
|
||||||
Pretty cool!
|
Pretty cool!
|
||||||
|
|
||||||
And yet we are about to see an even cooler example of composition.
|
And yet we are about to see an even cooler example of composition.
|
||||||
|
|
||||||
Now that Alyssa has put enough work into this file, she would like to
|
Now that Alice has put enough work into this file, she would like to
|
||||||
automatically back up the file's contents twice a day.
|
automatically back up the file's contents twice a day.
|
||||||
Luckily, she has a capability to a job-scheduling service:
|
Luckily, she has a capability to a job-scheduling service:
|
||||||
|
|
||||||
: # lets Alyssa schedule work at periodic intervals
|
: # lets Alice schedule work at periodic intervals
|
||||||
: # aka <JOB-SCHEDULER>
|
: # aka <JOB-SCHEDULER>
|
||||||
: https://webchronjobs.example/api/3Gw5Ivk_qaNPLWro0MTr_KP1JhuC6GWDvhgDARFG61g
|
: https://webchronjobs.example/api/3Gw5Ivk_qaNPLWro0MTr_KP1JhuC6GWDvhgDARFG61g
|
||||||
|
|
||||||
Alyssa also has a capability to a backup service:
|
Alice also has a capability to a backup service:
|
||||||
|
|
||||||
: # more or less another place to put files
|
: # more or less another place to put files
|
||||||
: # aka <BACKUP-SERVICE>
|
: # aka <BACKUP-SERVICE>
|
||||||
: https://backups.example/api/BUWRNHd2kIkhl0MvtPUd8tqhW_c99c5KdBZYC7bC0NA
|
: https://backups.example/api/BUWRNHd2kIkhl0MvtPUd8tqhW_c99c5KdBZYC7bC0NA
|
||||||
|
|
||||||
And recall, of course, Alyssa's original capability to <PARTY-FILE>
|
And recall, of course, Alice's original capability to <PARTY-FILE>
|
||||||
|
|
||||||
: # aka <PARTY-FILE>
|
: # aka <PARTY-FILE>
|
||||||
: https://filestore.example/obj/30SVLFRf1cTPNnjgaJfN8r85joIMVDSgWSKXKoYiFuY
|
: https://filestore.example/obj/30SVLFRf1cTPNnjgaJfN8r85joIMVDSgWSKXKoYiFuY
|
||||||
|
|
||||||
Alyssa would like to have =<JOB-SCHEDULER>= periodically copy
|
Alice would like to have =<JOB-SCHEDULER>= periodically copy
|
||||||
=<PARTY-FILE>= over to =<BACKUP-SERVICE>=.
|
=<PARTY-FILE>= over to =<BACKUP-SERVICE>=.
|
||||||
However, she wouldn't like =<JOB-SCHEDULER>= to be able to read
|
However, she wouldn't like =<JOB-SCHEDULER>= to be able to read
|
||||||
the contents of =<PARTY-FILE>= or write anything else other than
|
the contents of =<PARTY-FILE>= or write anything else other than
|
||||||
the backup of =<PARTY-FILE>= to =<BACKUP-SERVICE>=.
|
the backup of =<PARTY-FILE>= to =<BACKUP-SERVICE>=.
|
||||||
This might seem like an impossible task... but Alyssa knows how
|
This might seem like an impossible task... but Alice knows how
|
||||||
to do it.
|
to do it.
|
||||||
|
|
||||||
Alyssa creates a new object/endpoint on her own server with the
|
Alice creates a new object/endpoint on her own server with the
|
||||||
following capability URL:
|
following capability URL:
|
||||||
|
|
||||||
: # aka <BACKUP-PARTY-FILE>
|
: # aka <BACKUP-PARTY-FILE>
|
||||||
: https://alyssas-home.example/obj/9SzcK9U40-EPYll1ixTU2-jgqvPWJy1xvQWfSp3aT-c
|
: https://alices-home.example/obj/9SzcK9U40-EPYll1ixTU2-jgqvPWJy1xvQWfSp3aT-c
|
||||||
|
|
||||||
Now here's the cool thing: internally, =<BACKUP-PARTY-FILE>= knows
|
Now here's the cool thing: internally, =<BACKUP-PARTY-FILE>= knows
|
||||||
about and actually uses both =<PARTY-FILE>= and =<BACKUP-SERVICE>=...
|
about and actually uses both =<PARTY-FILE>= and =<BACKUP-SERVICE>=...
|
||||||
@ -1455,7 +1455,7 @@ But =<BACKUP-PARTY-FILE>= never /discloses/ the locations of either
|
|||||||
=<PARTY-FILE>= or =<BACKUP-SERVICE>=.
|
=<PARTY-FILE>= or =<BACKUP-SERVICE>=.
|
||||||
Why should it?
|
Why should it?
|
||||||
|
|
||||||
And so, Alyssa can schedule =<JOB-SCHEDULER>= to run
|
And so, Alice can schedule =<JOB-SCHEDULER>= to run
|
||||||
=<BACKUP-PARTY-FILE>= twice a day.
|
=<BACKUP-PARTY-FILE>= twice a day.
|
||||||
But =<JOB-SCHEDULER>= never gets to read the actual contents of
|
But =<JOB-SCHEDULER>= never gets to read the actual contents of
|
||||||
=<PARTY-FILE>= or write anything else to =<BACKUP-SERVICE>=
|
=<PARTY-FILE>= or write anything else to =<BACKUP-SERVICE>=
|
||||||
|
Loading…
Reference in New Issue
Block a user