Musing on the key metaphor

[Christopher Lemmer Webber]

Car keys, and likewise house keys, will never be true ocaps because
they're really rights amplification, separating designation (the house's
physical location) and authority (the ability to enter the house).

However, if we ever have completely externally sealed buildings with
teleportation pads inside, and keys teleport you directly to the spot,
we will finally have true ocaps with the key metaphor.

- Chris

[Alan Karp]

I like to talk about the car key at the valet parking station.  It has a tag with the car's license plate number, which is the designation part.

--------------
Alan Karp

--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/87blfyh2xz.fsf%40dustycloud.org.

[Rob Markovic]

Yeah, or a dynamic privilege given to a service person while performing work like changing a tire and the first escalation issue is access to the trunk, and the second is access to the glove box via the passenger door, but not drivers or rears. Also no access to start engine, etc. All logged.

++ Rob

About me

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z05yJ%2BPTZAfWQyv7_vfGmBk6BP0C%2Bj8Z%2BEOLh2PO1-y-Q%40mail.gmail.com.

[Jonathan S. Shapiro]

A physical key has always been a troubled metaphor for a capability. I think the reason it came into use is simply that physical keys are something most people have, and they share enough attributes with secure tokens that they provide a starting point for intuitions about capabilities. Norm, certainly, was quick to agree that the analogies don't hold up very well once you start examining them.

Incidentally: physical keys do designate the object, at least to the extent that there has to be a physical match between the pin setting in the physical lock and the contour of the physical key. Yes, all of us here know that the lock is not the car, but for somebody who hasn't thought about the intuitions before, the analogies are at least good enough to suck. Which is better than any other analogy to commonly known things that we seem to have come up with so far.

Jonathan

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAMJVQOUCtAkunCi2hiFBsA1cZdGeh%3DqCh-dhVauyhZ7Li4vEjg%40mail.gmail.com.

[F. Randall Farmer]

I'm about to try to introduce a LOT of people to the idea of object capabilities and the "car key" metaphor has become weaker in an unexpected way:

"Keys" are now fairly tightly bound in peoples minds to crytpo. They are a Capital-Letter-Noun now, with properties that don't apply well when talking about object capability systems.

Is there any other means of metaphorically describing them without using the word Key?

[Matt Rice]

One thing that comes to mind as an alternate metaphor, is various passes that allow you to get into things.

Busses don't really have many layers of authority, concert/festival passes might have more like vip, backstage, crew...

Anyhow that is the first thing that comes to mind as a plausible alternative to physical keys.

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/61dabded-627e-47ee-b36e-f694c70d724fn%40googlegroups.com.

[Raoul Duke]

(restating things people have said i am sure, but anyway...)

I'd like to say that the progression from car key, to valet key, to logged fine-grained car door access control --> hints something about usability in my mind. To wit, things are entirely too complicated. If I had to worry about anything more than e.g. the valet key, I would likely fail to find all the ways in which somebody can mess up my security plans. I think real world data systems are kinda inherently too complex by nature. Should I let Fred be able to read the report, Caroline able to edit paragraph 2 subsection alpha, and Mr. Evil to not even decode the encrypted version, oh but wait, Caroline just ripped off her face mask and she was Mr. Evil all along, etc. Then to believe any non-super-smart-security type person on the street can have any chance at all... yeah, no.

On the other hand, I think w/out fine grained controls we have security theatre. At the moment our mobile devices seem to often lack the more nuanced granularity I want in every possible case even though they have obviously gotten way better over time.

The underlying problem with digital stuff is that once the barn door is open, you are kinda screwed as we all know from DRM and all the data leaks that are only ever getting more painful (not apparently so much for the organizations, for the users whose data got copied). When somebody commits grand theft auto, they've only got my 1 car to fence (even if they have a 3d printer).

Thus there's this unfortunate collision: complexity of security use cases vs. simplicity of cat getting out of the bag if you get anything wrong.

[Matt Rice]

I suppose though there is an argument against this in that i'm thinking of the garland style pass, but people might think of the wristband style pass which is physically attached, and made to self-destruct when you take it off.

Those wristband style things lack an important property of capabilities that the garland style passes have...  That potential for confusion gives me some doubt.

[Alan Karp]

I have used the example of my cleaning lady.  I could set up my smart lock so she can authenticate with her phone to get into my house on Monday morning.  Works fine, until she gets sick, that is.  Then she faces a tough choice.  She can either have an annoyed customer whose house doesn't get cleaned or give her phone to a substitute.  Doing the latter gives up all her private photos, bank accounts, etc.  If I give her a 6-digit code (or a physical key but I don't get to limit when it can be used) to enter on the smart lock, she can just tell the code to her substitute.  Note that I'll still hold my cleaning lady responsible for any damage, because that's who I gave the code to. 

--------------
Alan Karp

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/61dabded-627e-47ee-b36e-f694c70d724fn%40googlegroups.com.

[Raoul Duke]

"if it bends, it's funny. 

if it breaks, it's not funny." 

-crimes & misdemeanors. 

i do think these metaphors all very quickly break because digital stuff is so different than physical stuff. 

and that's not unimportant, it is - to a regular consumer - a main crux of the nut. 

a hard problem. 

[Christine Lemmer-Webber]

Pre-enchanted magic wands (or, choose your "magic gadget" of choice) are
the best thing I've thought of to immerse the metaphor in physical
space. Possession corresponds to ability to invoke.

Watch out for the magic gadgets shaped like monkey paws though. I hear
they have some strange side effects.

[Tristan Slominski]

Perhaps unguessable or "unlisted" URLs as a metaphor will work, although authenticated unguessable URLs muddle the issue somewhat.

The other approach could be to double down on more specific keys:

Rental car key may be specific enough to retain enough context at the risk of a less common experience.

Do hotel room keys still work how I think they do? They would be another specific example that could work. They're even revokable.

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/61dabded-627e-47ee-b36e-f694c70d724fn%40googlegroups.com.

[Raoul Duke]

(/brokenrecord I'd continue to try to split hairs and urge people to not use e.g. keys for cars or other large hard to copy objects in such metaphors as I feel it misses the very key important fundamental issue with digital info. So maybe more James Bond style "somebody uses their phone to take a picture of your documents" scenario that is straddling the physical-digital spectrum.)

[Mark S. Miller]

Sorry Raoul, although I appreciate all the downsides of the car key metaphor, I am not convinced that any of the alternatives presented so far is better. More accurate, perhaps yes. But better to get across the fundamental first intuition to those tuning in for the first time? IMO no.

On Wed, Aug 25, 2021 at 9:34 AM Raoul Duke <rao...@gmail.com> wrote:

(/brokenrecord I'd continue to try to split hairs and urge people to not use e.g. keys for cars or other large hard to copy objects in such metaphors as I feel it misses the very key important fundamental issue with digital info. So maybe more James Bond style "somebody uses their phone to take a picture of your documents" scenario that is straddling the physical-digital spectrum.)

--

You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAJ7XQb6Wp-pv%3DLTXuM0Pmn6G68ugh0ba9nFrr%3DuB7ZojVZ_oEA%40mail.gmail.com.

[Raoul Duke]

Thanks, I can understand using e.g. the valet key being the first way
to give an intuition!

I'd just like people to then asap follow up with the fact that there's
such a difference in the impact ... risk = probability * impact, and
impact includes how hard it is to do including how much $, how
'widely' it can be done, and how hard it might be to recover. If we
say that we've got something like car keys and therefore security is
QED then that's irresponsible. The bottom line is digital is way too
hard because the cat getting out of the bag is utterly different than
non-photocopyable physical items that cannot be un-pandora'd.
Furthermore we don't even know what data is being collected / accessed
/ "stolen" from us. It could be the cookies, it could be the hacks on
orgs, it could be any # of effectively invisible-to-the-user things.
Let alone then the de-anonymization that can happen.

[David Nicol]

When I was using e-mailed verification codes and trying to explain them in 1996, I talked about dry-cleaner tickets a lot.

The slip with the number on it that indicates the privilege to collect a specific parcel of cleaned clothing seems like a good real-world capability "key."

--

"Lay off that whiskey, and let that cocaine be!" -- Johnny Cash

[Jonathan S. Shapiro]

Then there are the cars that unlock based on your phone being nearby (via BLE)…

The key metaphor was always problematic. Maybe the answer is that a capability is a capability and we have to note the billet and explain it. 

[Mike Stay]

Treasure maps are a lot like cryptocaps. So are car keys, in the
sense that they have a key space you can brute force. So are cars, in
the sense that it's possible to make an exact-enough copy of a car:
mostly you just need the same model of car with the same VIN and
license plate. So are fingerprints:
https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands

The only physical systems I know of where you can't forge them just
using data (in principle) are entangled quantum systems. But they're
also linear, which doesn't match most ocaps.

I don't know of any physical system that approximates ocaps well.

> --
> You received this message because you are subscribed to the Google Groups "cap-talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAAP%3D3QP%3DEPsSZrLoX2EGHcXmg075SRAD-i0C6DpffjifBfWBhQ%40mail.gmail.com.



--
Mike Stay - meta...@gmail.com
http://math.ucr.edu/~mike
https://reperiendi.wordpress.com

[Raoul Duke]

re: cars etc. to me the issue is that it is hard to exfiltrate 50M actual cars from a database. 

[Matt Rice]

I remember Mike had also mentioned on list Chirograph's a number of
years ago now...
https://en.wikipedia.org/wiki/Chirograph a kind of torn/cut contract
where the cut/torn edge can be checked to match against the other
sides.
there are also Tally Stick's,
https://en.wikipedia.org/wiki/Tally_stick in particular Split tally's,

I'm really not suggesting these as a metaphor, as they aren't common
anymore to lend any familiarity...
But probably should be included in a survey of capability similar
physical objects were there one.
I particularly like Tally stick's because either due to the literacy
at the time they were in use or the difficulty of the medium,
references to party identities seem rare (or at least I've never seen
one with any form of identity on it),
at the same time they maintain a direct multi-party connection while
treasure maps and magic wands and keys the multi-party allow for an
absent party.
Whereas in Chirographs/Tally sticks both parties must bring forth the
parts to authenticate that the split/cut/tear matches.

> To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAKQgqTacwx-redKkveZTQV%3DDk%2BhiJVy44pwDq9tui0%3DzMAs-7Q%40mail.gmail.com.

[Carl Hewitt Twitter: ProfCarlHewitt]

The "address" metaphor is far more familiar and more accurate than

the key metaphor as a foundation for computation.

For example, a message sent to the "President of the United States" may be

acted upon even though it was never seen by the sitting President.

Context is the this-decade race to develop and deploy technology that is

resilient against cyberattacks. Some of the mathematical foundation is explained here:

  https://www.youtube.com/watch?v=AJP1VL7shiI

Regards,

Carl

https://professorhewitt.blogspot.com/

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CACTLOFqc8p0PHvOtMWzRwpLxn9_KHOHKTPY_Mx2zKn0Cb-25zw%40mail.gmail.com.

[David Nicol]

Based on the interaction I had earlier today with a customer service rep (CSR) at the company from whom I bought my recently stolen cell phone, who used the fact that I could receive e-mail at this address to verify my identity before blacklisting the device's serial number, it seems like "secure code" is the current vernacular and "key" is subject matter expert (SME) jargon and that is the current state of things.

 

> > The key metaphor was always problematic. Maybe the answer is that a capability is a capability and we have to note the billet and explain it.

--

[Matt Rice]

On Fri, Aug 27, 2021 at 2:53 PM Carl Hewitt Twitter: ProfCarlHewitt
<carl.e...@gmail.com> wrote:
>
> The "address" metaphor is far more familiar and more accurate than
> the key metaphor as a foundation for computation.
> For example, a message sent to the "President of the United States" may be
> acted upon even though it was never seen by the sitting President.

Trying to keep it short, but there are times when this is appropriate,
and times when it is not.
In this case, a message to the former president may be deliverable to
the current president,
but "The patient in bed 2C", is unlikely to want to take receipt of a
recent escapee's intended lobotomy.
Mixing routing metaphors with recipient metaphors seems tenuous to me.

> To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CA%2BymXc0T%3DYfMBgLyv%3D9bKckP9HUvaeLCSdkFJOH_OXTfv16FvQ%40mail.gmail.com.

[Brian Cannard]

"A tonnel, a wormhole, a pipe, a road, a wire, vasculature..." Something which has inpenetrable walls and connects two locations in spacetime.

To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CACTLOFpW%3DteXieLhi%2BTMVzTObUhpC9mn1QfzSUdArdXh3DuKnA%40mail.gmail.com.

--

 

Brian Cannard  |   Chief Mad Scientist

206-566-8179    br...@solidstatepros.com

solidstatepros.com

   

This e-mail message may contain confidential or legally privileged information and is intended only for the use of the intended recipient(s). Any unauthorized disclosure, dissemination, distribution, copying or the taking of any action in reliance on the information herein is prohibited. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, or contain viruses. Anyone who communicates with us by e-mail is deemed to have accepted these risks. SSP is not responsible for errors or omissions in this message and denies any responsibility for any damage arising from the use of e-mail. Any opinion and other statement contained in this message and any attachment are solely those of the author and do not necessarily represent those of the company.

[Bill Frantz]

On 8/26/21 at 11:07 AM, jonathan....@gmail.com (Jonathan

S. Shapiro) wrote:

>The key metaphor was always problematic. Maybe the answer is that a
>capability is a capability and we have to note the billet and explain it.

The lock and key metaphor has some value as an introductory
notion but there are difficulties. I know of very few keys that
have an identifier which lets you locate the associated lock,
something most (all?) capabilities have.

Also, many capability systems let you have different privileges,
depending on what kind of cap you have. The lock and key
metaphor doesn't seem well suited to this feature.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz | Re: Computer reliability, performance, and security:
408-348-7900 | The guy who *is* wearing a parachute is
*not* the
www.pwpconsult.com | first to reach the ground. - Terence Kelly

[Alan Karp]

On Sun, Aug 29, 2021 at 12:56 PM Bill Frantz <fra...@pwpconsult.com> wrote:

 

I know of very few keys that
have an identifier which lets you locate the associated lock,
something most (all?) capabilities have.

Both the valet parking your car and my cleaning lady attach a tag to designate which lock it's for.

--------------
Alan Karp

[Chris Hibbert]

And commercial keys commonly have a master, which has more power than an
individual key. Of course this is a pre-programmed master, and there's
no ability to attenuate existing keys, so the metaphor only stretches so
far.

Chris
--
If you take penicillin, you excrete half of it. It goes into the
sewer in low doses. It doesn't kill everything in the sewer, but
it makes them start developing a resistance to penicillin. Most
antibiotic resistance may arise outside our bodies. --Kary Mullis
http://www.edge.org/documents/archive/edge315.html

Chris Hibbert
hib...@mydruthers.com
Blog: http://www.pancrit.org
Twitter: C_Hibbert_reads
http://mydruthers.com

[Chip Morningstar]

> On Aug 29, 2021, at 1:35 PM, Chris Hibbert <hib...@mydruthers.com> wrote:
>
> ... so the metaphor only stretches so far.

Sometimes imprecision is the price of clarity.

Chip

[Christine Lemmer-Webber]

I think actor addresses are easier to grokk in some ways than the car
key metaphor. Similarly, URIs, which are of course a
psuedo-actor-address. The bigger risk is that it's easy to pay
attention to the human-readable part of the envelope, think about names,
and slip into identity-land. Anonymouse P.O. boxes, however, have the
right properties.

In a sense, I still think the thing that makes ocaps *clearest* is
understanding that they are *just references in programming languages*.
Maybe this is because, for me, the real aha moment for ocaps was
reading:

http://mumble.net/~jar/pubs/secureos/secureos.html

"Oh... this is just ordinary programming, taken seriously!"

One thing that pretty much all contemporary programming languages get
right (actor-oriented or not, actors just help understand how this can
apply to distributed systems) is that in general most programming isn't
spent looking at the name on the address... you just deal with reference
passing.

So, mostly agreed, just expanded a bit above. The people who must be
sold on ocaps, ultimately, are programmers. Appealing to ocaps'
connection to intuitive programming semantics is the biggest win we
have.

[Alan Karp]

On Tue, Sep 7, 2021 at 11:16 AM Christine Lemmer-Webber <cwe...@dustycloud.org> wrote:

"Oh... this is just ordinary programming, taken seriously!"

As explained by Marc Stiegler in https://www.youtube.com/watch?v=eL5o4PFuxTY&ab_channel=GoogleTechTalks.

--------------
Alan Karp

[Tristan Slominski]

I came across an interesting example of capabilities, Durell Bishop's Marble Answering Machine:

"[The] answering machine has a stock of marbles. Whenever a caller leaves a message ... it associates that message with a marble from the stock, and the marble rolls down a track to the bottom, where it sits along with the marbles representing previous messages. When the owner of the machine comes home, a glance at the track shows ... how many messages are waiting: the number of marbles arrayed at the bottom of the track. To play a message, the owner picks up one of the marbles and drops it in a depression at the top of the answering machine; because each marble is associated with a particular message, it knows which message to play. Once the message has been played, the owner can decide what to do: either return the marble to the common stock for reuse (so deleting the message) or returning it to the track (saving it to play again later)." 

"Now imagine a good spy-movie scenario. You receive a long and vital message sage on the home machine, but you have just one minute until your nosy roommate gets home. You don't want her to see or hear the message, but you cannot delete it yet. What do you do? I am willing to bet that every single reader of this text imthediately thought "Take the marble and put it in your pocket, then later, in private, drop it into the machine." The situation tion was unusual, yet you at once knew how to proceed-but what would you have done on your usual digital device?"

Source: Natural Born Cyborgs by Andy Clark