Mark S. Miller writes:
> On Tue, Oct 27, 2020 at 4:46 PM Christopher Lemmer Webber <
>
cwe...@dustycloud.org> wrote:
>
>> An attempt to break down categories. Thinking further about the
>> relationship between:
>>
>> - OCaps vs ACLs
>> - Interactive fiction "input prompt" vs "here's what happened"
>> - The same, but now for distributed virtual worlds
>> - Read Eval vs Print (loop!)
>> - ActivityPub Client to Server (I want to do this next) vs Server to
>> Server (you want to know that this happened... and know if it could)
>>
>> And some places where we've seen them hybridized.
>>
>> Anyway, the table has more details... it's plaintext, but I'm guessing
>> HTML browsers won't render nicely. Would a volunteer who uses an HTML
>> client like to paste the following table in some form that preserves
>> fixed width foo?
>>
>>
https://dustycloud.org/tmp/command-desc-ocap-acl.org.txt
>
>
> Since it is a *.txt file, it rendered fine in my browser. Interesting!
> Looking forward to your extended explanations.
Glad to hear your interest. Had a fairly interesting call about it
today on Friam, the original table also based on a call with Jonathan
Rees; thanks to everyone helping shape my thoughts on this. I'm going
to braindump some thoughts from the calls and etc...
- This table/these notes for grouping things was done quickly as I was
capturing some thoughts before I lost them after my call with Rees,
as such I think some things were lost... the first row that lists
OCaps and then ACLs in the first two (non-header) rows may have made
it look like the first two columns were *entirely* about ocaps and
ACLs. While I think everything in the first column can be done
correctly with ocaps, the ACLs are an example of where
identity/judgement are applied in the wrong way, as an authorization
model. However I believe we don't fully escape identity/judgement,
we just scope our problems.
- Alan really wanted to emphasize that we can use ocap channels for
authentication and this is often more correct than ever having
anything eq-compared or using signatures etc; I agree with this
(though think there are cases where it turns out to be insufficient,
explained below). It's a useful toolkit, and in a sense the first
two columns both provide something for each other. But conceptually
I try to leave them as separate.
- The REPL and interactive fiction examples are maybe good ways of
understanding what I mean. Having a REPL open is familiar, and
having an object reference that we can ask for its own
interface/documentation is perfectly valid in an ocap system.
While a programmer is thinking about the structure of their program,
they may interrogate, say, a purse object that's on a remote machine.
That purse may then give its alleged interface, and this may affect
what the programmer does next with the ocaps *the programmer has*
at the next step in the REPL, and satisfied with an appropriate
construction, may codify that into code saved into some file that
guides the use and dissemination of capaiblities held by the objects
which are represented by that new code. But this is alleged; the
purse object could lie about its interface to some degree, and such
a lie could even be just out of date documentation or a regression.
Nonetheless the communication step is still useful... but the sharing
of information is not itself used as an authorization step.
- Similarly, consider an interactive fiction game, with the following
interactions:
> take gun
You take the gun. Its steel is cold against the palm of your hand.
This could be modeled in an ocap object-style system. Consider the
player to have a current scope of objects they can operate on, one
of which is gun. The "take gun" is not far from gun.take() and
indeed many interactive fiction systems do just such a translation.
Now consider the following scenario in this noir-style detective
game:
> talk to cloaked figure
"It's dangerous being in such an alley such as this. You've got a
nice knife there, but here I've got a gun. Two, in fact. Now I'm
your friend, pal. I see your wallet's looking a bit heavy. How
about you hand me some hard cash in exchange for one of these fine
guns... keep you safe on the streets, you know?
> take 500 zorkmids from wallet
You reach into your wallet and pull out 500 zorkmids. The cloaked
figure carefully watches the movements of your hands to make sure
that you don't draw a weapon. He seems satisfied but eager to
take the money. "Come on, hand it over. Let's finish the
transaction."
> hand cash to cloaked figure
You hand over your wad of cash to the cloaked figure, who eagerly
snatches it up. "See pal? I'm good on your offer. We're friends,
see?" He puts the cash in his own wallet and hands you the gun,
open palmed.
> take gun
You take the gun from the cloaked figure. As you do so, you get
a glimpse... a scar runs across the palm of his hand. It... looks
familiar.
> look at scar
A sudden flashback of that fateful night, when you lost your dear
wife, makes everything clear. That scar... that's the very same
scar on the hand of the man who murdered your wife!
> shoot cloaked figure with gun
You fire the gun at the cloaked figure. He staggers back in
surprise. "You... you shot me!" he says, staring down at the wound
on his chest...
In this silly noir pulp story, we see several things:
- This really does resemble a REPL interaction... the player inputs
a command that is read, transformed and evaluated as an
appropriate method invocation, propagating world changes and
effects that are then printed out to the player.
- Information being printed, a period of deliberation by the player
as deciding what to do next, resemble the second column of
identity/judgement. The system's read and eval resemble
command/ocap. There is a feedback loop (ha) between the two
parts of this process, but they are different.
- What capabilities are within the player's scope change throughout
the scope of the session. Withdrawing money from the wallet
reduces future opportunities to withdraw money, handing the money
provides access to the gun, and thus the opportunity to shoot.
- The player might be able to type "wave magic wand and turn the
sky purple", but the game is likely to respond with "Wave what?"
Not far from the kind of error we might see at a normal REPL
interaction.
- But more than that, what opportunities are allegedly available
are mediated by the story the game tells. The player may not
know that buying a gun is *even an option* until the cloaked
figure mentions it is. At that point the player must decide...
"is it a good idea to buy the gun?" The player is making a
judgement call... the game is not forcing this action, but not
doing so might have other, different effects.
- The game also provides some interesting information not only
on what *can be done*, but what *allegedly has happened*. The
reveal of the scar as being the same from the hand of the person
who shot the detective's wife is not directly a communication
about what further capabilities are available, but does inform
the player enough that they decide how to *use* one of the
capabilities they have.
- A fun game, if a bit violent (but thankfully, fictionally so). The
stakes here are not high for the player, other than possibly losing
the game. But in some ways this is not far from the way we think and
interact in our own lives.
- But how does the player know whether what the game is telling them
is... "real"? In this case, the game is really the arbitrator of its
own world of truth, and thus the player can simply immerse themselves
in the reality of whatever the game says.
- Things get more complicated when it's not just one runtime or object
system that's the source of truth. I started to run into this in
ActivityPub, which has both a client-to-server protocol and a
server-to-server protocol. Both use similar structures but I
realized that the same structures appeared very different in each. I
may have a capability through the client-to-server protocol to Create
a Note that says I like pie. But on the server-to-server side,
someone may find a post in their inbox that says that it's from me,
claiming I do or don't like pie. Was it from me or Mallet? Here we
seem to be in some level of identity/judgement land. For the kinds
of posts sent on the ActivityPub network today, it's generally simple
enough... well, there's only one operator, Chris, so we can just see
if Chris signed the message, thus it came from them. It's more
complicated in the example that Alan (allegedly) openins the bridge
by pulling the lever. How do I know that's true? And do I need to
know?
- Kevin correctly pointed out that if we think about many games today,
you might not always have a way for all players in the game to be
able to verify all events, and this can be a source of fun. In some
games, you can shoot a projectile at a sleeping monster who wakes up
and thinks their sleeping buddy is the one that hit them. They now
start to get into a fight, giving you an opportunity to sneak past or
plan a covert attack (or just let the monsters beat themselves up for
you).
- In "real life", it's also demonstratable that most people don't
usually know "how" they know something is true or false. This leads
to some absurd practices, and occasionally errors out very badly (the
severity of this pandemic might be such an example), but in general
it's nonetheless possible for a society to move forward with
participants only having partial or even incorrect information.
- Thus, is it critical that I know that Alan is the one who opened the
bridge? Maybe that depends on my job... am I Chief Bridge Safety
Officer? Okay then, yes. Often otherwise, probably not.
Finally, something fairly different. How do we know what the current
milage and gas level in a car are?
- We could consult an odometer and gas reader that we trust to perform
exactly this task. Maybe we implicitly believe it must be correct
because we understand or have audited the workings of the car. Often
otherwise it might be because we know that tweaking such things to be
incorrect could result in a fine or other penalty. But this is often
a sufficient source of truth. But it might not be the only way.
- We could deconstruct the car into pieces, pull out the gas tank and
pour its gasoline into a container that lets us measure its volume.
This would be quite accurate enough for the gas tank level. We could
also examine the wear and tear on engine and other car components, if
we're sufficiently skilled, and make a rough "guesstimate". "This
isn't new as claimed; this car looks like it's had about 15 years of
heavy use..." However this is imprecise and requires more expertise
than the gas tank... and the ability to dissasemble. Nonetheless
some smalltalk and lisp machine environments are examples of systems
that have allowed such incredible introspection to the appropriately
privileged user.
- If our universe were more deterministic and we were able to log all
times the car has been driven, when its gas tank has been filled,
etc, we might understand the state of the car-relevant part of the
universe to reconstruct its state.
There's another example I'm too tired to provide about weddings and
municipal registries that I think is interesting... maybe tomorow if
there's interest. Or maybe this was too long and braindump'y. (If you
got this far and enjoyed it let me know! Now it's time for bed.)