(I naively think that knowing what the real final endpoint would be in terms of eg 'eq' is the rare case for OCaps, since in OOP generally ideally one should have refs to interfaces, and not know/care what is doing the implementation behind those interfaces, including proxies/wrappers/delegators.) "This call results in Alice doing Y" is different than "This call tells Alice to do Y".)
Can you provide a concrete example of why one would want to perform the join instead of just using the two capabilities separately?
I'm not sure "Ask Bob" works for this use case: If I understand correctly, it could only tell you that Alice and Dana claim to agree on the identity of KEQD, but it does not protect against one of them performing a MITM after claiming agreement.
Ihab brings up a more common use case, which is actually already implemented in Sandstorm: Human users generally don't understand the concept of having multiple capabilities to the same document, possibly with different permissions. Human users also generally aren't anywhere near as susceptible to confused deputy attacks as everyone else. Therefore, as a convenience, when a human user receives two capabilities to the same document, we automatically join them. This join definitely takes union semantics, for obvious reasons. Note that in this use case, we are unioning not just revocation conditions, but also permissions/attenuations (e.g. read, write).
I'm not so sure that users aren't susceptible to confused deputy attacks without some additional context. In SCoopFS, Kenton would have to send a message to Ihab saying, "Please make this change on my behalf." That message would not include Kenton's capability; it just refers to the document by name. Ihab must explicitly select his rw capability to make the change. As I understand what you do in Sandstorm, Kenton uses his capability to make the request, which gets merged with Ihab's. At this point, it appears to Ihab that he is making the change using Kenton's capability even though he's using permissions from his own.
Marc Stiegler came up with a clever UI affordance to make all this clear. If Ihab views the document with Kenton's capability, Ihab sees a ro view. If Ihab opens it with his own, he sees a rw view. In either case, he see the same document, which reduces any possible confusion. Since Ihab does have write permission, his UI has an Edit button (actually a tab in Stiegler's UI).
The same views are used for sharing, WYSIWYS (What You See Is What You Share). If you click the Share button while in the Edit view, you share rw. If you click in the Browse view, you share ro. We need to do more experiments to see how easy that is for people to understand, but at least there's a concise explanation.
Google's UI researchers claimed to us that people would get a
read-only view from somewhere and then be confused when they couldn't
edit it, even when there was an edit button. People don't look for
controls they don't expect to need.
Why should there be an edit button at all? If I go to try to edit it,
then it could tell me that I cannot, and offer instructions (even a
button, should that somehow be possible) that helps me get started on
getting over into edit mode.
On Tue, Jan 5, 2016 at 11:14 AM, Alan Karp <alan...@gmail.com> wrote:I'm not so sure that users aren't susceptible to confused deputy attacks without some additional context. In SCoopFS, Kenton would have to send a message to Ihab saying, "Please make this change on my behalf." That message would not include Kenton's capability; it just refers to the document by name. Ihab must explicitly select his rw capability to make the change. As I understand what you do in Sandstorm, Kenton uses his capability to make the request, which gets merged with Ihab's. At this point, it appears to Ihab that he is making the change using Kenton's capability even though he's using permissions from his own.Yes, but Ihab is not a computer. He can look at the document and understand what the document is and what effect my requested change will have. He can decide if this change seem suspicious. Moreover if I ask him to make a change that I obviously could have made myself, he's going to wonder why I asked him to do it, and probably catch on to the fact that I don't actually have said permission after all.
This isn't foolproof, obviously. Social engineering is a thing. But social engineering could also work against SCoopFS based on titles, as you describe. Humans are relatively unlikely to be fooled just because I sent them a thing that looks like a capability, especially if they aren't capability-based security experts. :)Humans, meanwhile, are much worse at managing multiple capabilities to the same object than computers are. So in the interest of UX, we make a compromise by auto-joining capabilities when they land in a human's capability store.
Marc Stiegler came up with a clever UI affordance to make all this clear. If Ihab views the document with Kenton's capability, Ihab sees a ro view. If Ihab opens it with his own, he sees a rw view. In either case, he see the same document, which reduces any possible confusion. Since Ihab does have write permission, his UI has an Edit button (actually a tab in Stiegler's UI).I really doubt that a user would understand that landing on the read-only view implies that the sender only had read access, if an edit button or tab is readily visible and is normally part of the UI. The user would merely think: "Huh, why am I on the read-only view? I'll switch to edit mode so I can make the requested edit."
The same views are used for sharing, WYSIWYS (What You See Is What You Share). If you click the Share button while in the Edit view, you share rw. If you click in the Browse view, you share ro. We need to do more experiments to see how easy that is for people to understand, but at least there's a concise explanation.I see what you're going for here but my intuition is that users wouldn't get it, and that this UX doesn't scale well with complexity. Consider what happens when you add a "can comment" permission. Do we now have three tabs: "read-only", "read+comment", and "edit"?
I don't think "If people understand email attachments they can understand caps" is a good argument.
Email attachments have significantly higher cognitive overhead than Google Docs does today. Yes, a lot of people get it, but at a mental cost, and some people (probably, people that people like us rarely interact with) could never handle it at all. Google Docs is widely considered to be a huge improvement over that world.