So, I've got a new job and I'm trying to use capability security discipline as
we're architecting our Java servers (which run programs that do data
transformation). The idea right now is to try to follow the guidelines in
the Joe-E draft paper, and adopt the Joe-E tool once it is ready.
We also need to worry about concurrency and distributed programming. Is
anyone using the E-lib from Java? I'd love to hear about real world
performance issues, programming complexity, etc. I realize that Joe-E
intends to use it too, but we need to start programming already.
Also, has anyone done any practical work on visualizing capability graphs?
I've been diagramming the objects representing the different types of users
we have and what they are allowed to do, and the objects that they can
manipulate. I noticed I needed to distinguish between object creation and
holding and passing of references. I had about 20 objects in there it
wasn't quite as cute as, say, the Granovetter Diagram, although it wouldn't
be so bad if I broke it into subgraphs with just one page or graph per class.
Thanks,
Monty
cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

Well, I haven't done work on capability graphs, but I've been working
on 3 dimensional graphs. I have a network protocol for adding to the
graph and manipulating the graph through HTTP, so that you can have
a shared session with whatever is generating the graph. I can send you
the code, if you like. I don't have any persistence yet. It's
programmed in JGL.

It would be really cool if we could add capabilities to this, such
that people
could only see certain parts of the graph.

I also have some 2D graph drawing tools that are similar, but a little
farther along in terms of labelling, nesting, and saving stuff. The
3D stuff
is the only stuff that is multiuser.

Let me know whether you want the code and your desired distribution
format.

John
May 8, 2006, at 3:18 PM, Monty Zukowski wrote:

So, I've got a new job and I'm trying to use capability security
discipline as
we're architecting our Java servers (which run programs that do data
transformation). The idea right now is to try to follow the
guidelines in
the Joe-E draft paper, and adopt the Joe-E tool once it is ready.

We also need to worry about concurrency and distributed
programming. Is
anyone using the E-lib from Java? I'd love to hear about real world
performance issues, programming complexity, etc. I realize that Joe-E
intends to use it too, but we need to start programming already.

Also, has anyone done any practical work on visualizing capability
graphs?
I've been diagramming the objects representing the different types
of users
we have and what they are allowed to do, and the objects that they can
manipulate. I noticed I needed to distinguish between object
creation and
holding and passing of references. I had about 20 objects in
there it
wasn't quite as cute as, say, the Granovetter Diagram, although it
wouldn't
be so bad if I broke it into subgraphs with just one page or graph
per class.

Thanks,

Monty

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

>
Also, has anyone done any practical work on visualizing capability
graphs?
I've been diagramming the objects representing the different types
of users
we have and what they are allowed to do, and the objects that they can
manipulate. I noticed I needed to distinguish between object
creation and
holding and passing of references. I had about 20 objects in
there it
wasn't quite as cute as, say, the Granovetter Diagram, although it
wouldn't
be so bad if I broke it into subgraphs with just one page or graph
per class.

If you're on WIndows, you may want to look at GME, a generic modelling
environment from Vanderbilt. You can come up with just about any
software diagram you
want, using metamodels.

Personally, I'd want something in Java.

John

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

>
Personally, I'd want something in Java.
I've used JGraph in Java.
John
cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

>
It would be really cool if we could add capabilities to this, such
that people
could only see certain parts of the graph.

Since I am using Java GL for picking, I am using an integer to name
objects. What I envision doing is using some kind of algorithm to
generate a capabilities-as-data integer to pass over the internet
to other people.

Does someone have a standard set of capabilities that I can use
to add to this graphing program? I guess this is similar to file
system capabilities. Could I just subclass my node and arc
from some publically available classes, and the database,
multiuser, networking and capabilities would come for free?

Jed, what do you think about a capability system to write IMPACT
programs in a distributed/multiprogrammer fashion?

John

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

At 10:04 PM 5/8/2006, John Carlson wrote:

It would be really cool if we could add capabilities to this, such
that people
could only see certain parts of the graph.
>
>Since I am using Java GL for picking, I am using an integer to name
>objects. What I envision doing is using some kind of algorithm to
>generate a capabilities-as-data integer to pass over the internet
>to other people.

Are you talking about something like Tyler's YURLs?

>Does someone have a standard set of capabilities that I can use
>to add to this graphing program? I guess this is similar to file
>system capabilities. Could I just subclass my node and arc
>from some publically available classes, and the database,
>multiuser, networking and capabilities would come for free?

You lost me above.

>Jed, what do you think about a capability system to write IMPACT
>programs in a distributed/multiprogrammer fashion?

Gulp. Now that's a real stretch referencing a cellular data
flow machine and capabilities in the same sentence. Such
a topic could more appropriately be discussed off this list.

http://www.webstart.com/jed/

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

May 9, 2006, at 5:29 PM, Jed at Webstart wrote:

At 10:04 PM 5/8/2006, John Carlson wrote:

It would be really cool if we could add capabilities to this, such
that people
could only see certain parts of the graph.
>>
>Since I am using Java GL for picking, I am using an integer to
>name
>objects. What I envision doing is using some kind of algorithm to
>generate a capabilities-as-data integer to pass over the internet
>to other people.
>
Are you talking about something like Tyler's YURLs?

Something like that that would fit in an int (32-bits). Is there an
algorithm for creating capabilities-as-data for ints?

>Does someone have a standard set of capabilities that I can use
>to add to this graphing program? I guess this is similar to file
>system capabilities. Could I just subclass my node and arc
>from some publically available classes, and the database,
>multiuser, networking and capabilities would come for free?
>
You lost me above.

I mean are there some standard modules I can inherit from, and
gain the database, multiuser, networking, and capabilities. Thus,
I could write a node module and an arc module, do the GUI (cut
copy, paste, move). To get the database, multiuser, networking,
and capabilities, I would just attach my code to the standard
modules wouldn't have to design a schema, deal with the
complexities of distributing capabilities, or design the network
protocol. Please don't tell me this is a revolutionary concept.

>Jed, what do you think about a capability system to write IMPACT
>programs in a distributed/multiprogrammer fashion?
>
Gulp. Now that's a real stretch referencing a cellular data
flow machine and capabilities in the same sentence. Such
a topic could more appropriately be discussed off this list.
Well, I think your ideas for the programming of IMPACT (not
the cellular part, the textual part), could be easily adapted
to graphs. If you think about programming these things in
a distributed fashion, you probably want some capabilities
that you could distribute to people when the coding is done.
What I am envisioning is a CVS or SVN system based on
capabilities instead of passwords and ambient authority.

I'm not necessarily saying it has to be IMPACT, just that
a MMPIDE (massively multiprogrammer online integrated development
environment) would be interesting to write within the context of
capabilities.
Perhaps this is what the Croquet project is trying to do.

John

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

What I am envisioning is a CVS or SVN system based on
capabilities instead of passwords and ambient authority.

How hard would it be to create a capability wiki that could
be used to control source code, with full revisions, with an
eclipse front end? Thus, the project gods could decree that a person
would work on a certain module, and that person would
be granted the capability to modify the module, and send
it back to the project gods for integration. The integrated
parts could be made available to all for use. Later, customers
could be granted rights to read certain tagged versions
of the code.

John

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

John Carlson wrote:
May 9, 2006, at 5:29 PM, Jed at Webstart wrote:

objects. What I envision doing is using some kind of algorithm to
generate a capabilities-as-data integer to pass over the internet
to other people.
>Are you talking about something like Tyler's YURLs?
>>

Something like that that would fit in an int (32-bits). Is there an
algorithm for creating capabilities-as-data for ints?

YURLs are just an unguessable number. And note that guessing a 32-bit
number is easily within reach of modern hardware. Assuming testing each
integer takes 1ms, a conservative estimate I think, you can fully
exhaust a 32-bit space in less than 50 days. I believe 80-bits is as
little as you can reasonably go.

Sandro

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

May 10, 2006, at 5:38 AM, Sandro Magi wrote:

John Carlson wrote:
>May 9, 2006, at 5:29 PM, Jed at Webstart wrote:
>>
objects. What I envision doing is using some kind of algorithm to
generate a capabilities-as-data integer to pass over the internet
to other people.
Are you talking about something like Tyler's YURLs?

>>
>Something like that that would fit in an int (32-bits). Is there an
>algorithm for creating capabilities-as-data for ints?
>
YURLs are just an unguessable number. And note that guessing a 32-bit
number is easily within reach of modern hardware. Assuming testing
each
integer takes 1ms, a conservative estimate I think, you can fully
exhaust a 32-bit space in less than 50 days. I believe 80-bits is as
little as you can reasonably go.

So if I want to collaborate, by building a "graph" from nodes and
arcs, perhaps
this is how I might do it:

I need to retrieve a YURL for building a new graph,
then retrieve a YURL from the graph YURL for creating new nodes
(probably a
Node class underneath), a similar one for arcs, then use a YURL that
my coworker
has communicated to me to send my coworker the creation YURLs. Then
we can use
the creation YURLs to create object YURLs, send them to each other,
and attach
the object YURLs to GL objects. Next I use the graph YURL to
generate
YURLs for modifying and reading object attributes, and YURLs for
attaching nodes to arcs and arcs to nodes. I pass these to my
coworker. When I move an
GL object, I use the object YURL and a modify YURL with
parameters to update the database
stored on the server somewhere. I notify my coworker by passing
the object YURL
with the read YURL, so that he can read the location values from the
object in the database.
I then start attaching arcs to nodes and nodes to arcs. I pass the
attachment YURL with
the two objects YURLs I am attaching to the database, and to my
coworker. We
are now building a fairly large graph. , there's a bug. We need
to have
detachment YURLs and deletion YURLS.

My question is, can I get all this capability passing in my program
by simply attaching
my source code for Nodes and Arcs and Graphs to some existing capability
classes? Maybe there's a definition of Graphs and Arcs and Nodes
that I can take advantage
of? Then I need someway to securely share GL attributes of Nodes
and Arcs like, position, orientation
and color and attachments a web server. Perhaps the code to
do this would
be generated. I would write the code for selecting and moving the
objects through 3D.

Thanks for letting me know about recent developments.

How does one let someone know the purpose of a YURL. Are there
semantics that
go with it?

John

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

John Carlson wrote:
May 10, 2006, at 5:38 AM, Sandro Magi wrote:

My question is, can I get all this capability passing in my program
by simply attaching
my source code for Nodes and Arcs and Graphs to some existing capability
classes? Maybe there's a definition of Graphs and Arcs and Nodes
that I can take advantage
of? Then I need someway to securely share GL attributes of Nodes
and Arcs like, position, orientation
and color and attachments a web server. Perhaps the code to
do this would
be generated. I would write the code for selecting and moving the
objects through 3D.

See the Waterken server:

Thanks for letting me know about recent developments.

How does one let someone know the purpose of a YURL. Are there
semantics that
go with it?

A YURL is just a regular URL, with the added property that it's
unguessable. This additional property means it can be be used as a
capability, aka a secure object reference.

See also the Waterken server mailing lists, for a pointer to Tyler's
blog where he has additional starter documentation.

Sandro

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

>
See the Waterken server:
>
>Thanks for letting me know about recent developments.
>>

I will check for additional client software that may have
been added recently. I was hoping I could get an answer
before downloading.

>How does one let someone know the purpose of a YURL. Are there
>semantics that
>go with it?
>
A YURL is just a regular URL, with the added property that it's
unguessable. This additional property means it can be be used as a
capability, aka a secure object reference.

What I mean was, is this a creational YURL, an object YURL,
a method YURL, an attachment YURL, etc. etc. Can the
client figure out what to do with the YURL if passed one through
a 3rd party, or through some queue supported by Waterken Server?

I'm not talking about plugging a YURL into a web browser, I want
that information as part of client software.

thing I suppose I could do is generate X3D using a stylesheet
associated with code on the server. This certainly is a possibility.
I would probably have to write an X3D fragment parser on the client
side. I am not sure, but I think that most X3D parsers parse entire
documents. I guess I can look for streaming X3D.

John

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

John Carlson wrote:
>A YURL is just a regular URL, with the added property that it's
>unguessable. This additional property means it can be be used as a
>capability, aka a secure object reference.

What I mean was, is this a creational YURL, an object YURL,
a method YURL, an attachment YURL, etc. etc.

Any of the above.

Can the
client figure out what to do with the YURL if passed one through
a 3rd party, or through some queue supported by Waterken Server?

Performing a GET on the YURL returns an XML description of the
interface. The client, whether it be a browser or software agent, can
figure out what to do then.

Sandro

I'm not talking about plugging a YURL into a web browser, I want
that information as part of client software.

thing I suppose I could do is generate X3D using a stylesheet
associated with code on the server. This certainly is a possibility.
I would probably have to write an X3D fragment parser on the client
side. I am not sure, but I think that most X3D parsers parse entire
documents. I guess I can look for streaming X3D.

John

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

Sandro Magi wrote:

>>Can the
>>client figure out what to do with the YURL if passed one through
>>a 3rd party, or through some queue supported by Waterken Server?

Performing a GET on the YURL returns an XML description of the
interface. The client, whether it be a browser or software agent, can
figure out what to do then.

Sandro,

could you please post a small example of the XML
that comes back? For the haptics amongst us.

iang

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

Ian G wrote:
Sandro Magi wrote:

Can the
client figure out what to do with the YURL if passed one through
a 3rd party, or through some queue supported by Waterken Server?
>>
>Performing a GET on the YURL returns an XML description of the
>interface. The client, whether it be a browser or software agent, can
>figure out what to do then.

Sandro,

could you please post a small example of the XML
that comes back? For the haptics amongst us.

Tyler posted a series of "Hello World!" examples here:

Sandro

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

Sandro Magi wrote:
Ian G wrote:

>>Sandro Magi wrote:
>>
>>
Can the
client figure out what to do with the YURL if passed one through
a 3rd party, or through some queue supported by Waterken Server?

Performing a GET on the YURL returns an XML description of the
interface. The client, whether it be a browser or software agent, can
figure out what to do then.
>>
>>Sandro,
>>
>>could you please post a small example of the XML
>>that comes back? For the haptics amongst us.

Tyler posted a series of "Hello World!" examples here:

Is that document up to date? In the text it
refers to web-calculus.org but in the links
it goes to yurl.net. Also, it is not clear
what the point of the first XML is is
that displayed on a browser?

This one:

Loading the HelloWorld class in the Waterken Server produces XML like:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl"
href="/xsl/http/web-calculus.org/"?>

<list>
<doc schema="">
<greeting schema="">
<target>./?key=kl7g-btwb-iiqy</target>
</greeting>
</doc>
</list>

It almost seems as though there should be a URL that
causes that above XML to come back to the browser.
But the Hello World URL is:

%20World%20greeting

iang

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org

Ian G wrote:
Sandro Magi wrote:
>Ian G wrote:
>>
Sandro Magi wrote:

>Tyler posted a series of "Hello World!" examples here:
>>
>

Is that document up to date? In the text it
refers to web-calculus.org but in the links
it goes to yurl.net.

Yes, it is up to date as far as I know. The web-calculus.org URLs are
for the standard web-calculus schemas. Browse them at:

http://web-calculus.org/

Also, it is not clear
what the point of the first XML is is
that displayed on a browser?

All XML shown there is what is returned when a client requests that
resource. What a browser actually displays depends on the stylesheet
specified in the XML (if the browser supports XSLT that is).

This one:

Loading the HelloWorld class in the Waterken Server produces XML like:

<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl"
href="/xsl/http/web-calculus.org/"?>

<list>
<doc schema="">
<greeting schema="">
<target>./?key=kl7g-btwb-iiqy</target>
</greeting>
</doc>
</list>

It almost seems as though there should be a URL that
causes that above XML to come back to the browser.

There is a YURL that returns the above XML. It just isn't linked from
that page.

But the Hello World URL is:

%20World%20greeting

You are mixing up HelloWorld-class and a HelloWorld instance.

%20World%20greeting

The above YURL refers to a HelloWorld.getGreeting() YURL, which simply
returns a string. The HelloWorld-class is the description of the
HelloWorld class, which has its own YURL.

Sandro

cap-talk mailing list
cap-talk (AT) mail (DOT) eros-os.org