This observation of Chip's makes "co-mingled authority" make more sense
to me.
Still, the phrase feels like it's missing something though; one could
say an object which composes multiple capabilities is co-mingling
authority, but doing so safely.
Chip Morningstar writes:
> “Co-mingled authority” nicely parallels the accounting idea of
> “co-mingled funds”, wherein once you’ve put money from different
> sources that were supposed to be managed separately into a single
> account, you can no longer keep track of which is which to maintain
> proper accounting controls.
>
>> On Apr 2, 2021, at 11:48 AM, Mark S. Miller <
ma...@agoric.com> wrote:
>>
>> I like "co-mingled authority". I bounced this off Norm while I still
>> could, and he was fine with it.
>>
>> The main problem with the term "confused deputy" is implying the bug
>> is in the deputy.
I both agree and also think that's partly the point. The confused
deputy *is* mis-programmed, in the sense that it's programmed within the
wrong *paradigm*. The deputy might be fairly well programmed within
that construction, but sometimes when leaks keep appearing everywhere,
it's time to change your construction materials.
>> That if the deputy were coded better, it wouldn't be confused.
And in general, these criticisms are *correct*! One can almost always
plug a hole in the confused deputy authority leak. Meanwhile tech
journalists will show up and wag their fingers and say "they should have
seen this leak was here and patched it."
The problem is that the surface is so porous, there are always more
leaks about to burst through. This *retrospective criticism* is the
real problem. It is akin to "memory safety in C": in theory, it is
possible to program the perfect C programs which have no memory safety
issues. In practice, it is not possible. But a mistake can always be
pointed out in retrospect. My heart bleeds for the openssl developers
and how it must have felt to receive all that "obvious in retrospect"
criticism. But the right solution would have been to not put developers
in this position to make those kinds of mistakes over and over.
You are correct then that "failure of judgement" is thus insufficient,
because people wag their fingers saying "use better judgement next
time". But the right answer is "don't rely on judgement at all".
>> To unsubscribe from this group and stop receiving emails from it, send an email to
cap-talk+u...@googlegroups.com <mailto:
cap-talk%2Bunsu...@googlegroups.com>.
>> To view this discussion on the web visit
https://groups.google.com/d/msgid/cap-talk/871rbsileg.fsf%40dustycloud.org <
https://groups.google.com/d/msgid/cap-talk/871rbsileg.fsf%40dustycloud.org>.
>>
>> --
>> You received this message because you are subscribed to the Google Groups "cap-talk" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to
cap-talk+u...@googlegroups.com <mailto:
cap-talk+u...@googlegroups.com>.
>> To view this discussion on the web visit
https://groups.google.com/d/msgid/cap-talk/CAK-_AD5P3BA%3Df4iZwnqZ5uzB-NzyVMH8Y-0n6yERMS6vw8%2B0dQ%40mail.gmail.com <
https://groups.google.com/d/msgid/cap-talk/CAK-_AD5P3BA%3Df4iZwnqZ5uzB-NzyVMH8Y-0n6yERMS6vw8%2B0dQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.