If you can manage a TLDR on this it would be useful. I looked briefly a while ago and couldn’t make head or tail of it. Lots of this is important cool etc but I didn’t see what or why.
Currently the linked page is the TLDR. It does not contain too much text, and provides further pointers for those interested.
(For specific questions to the project lead see here on SocialHub)
Edit: Since I posted the comprehensive 30 min. APConf video by Christopher Lemmer Webber has been added to the site.
FYI I chatted with Christopher yesterday (here) and he pointed me to that video in my search for a tl:;dr. That was useful, I watched the first half and skimmed the second which gave me a good overview.
Spritely uses object capabilities and he was very excited when he thought Solid had begun using them, so much so that he kept missing that I corrected that Safe has switched to them, but Solid was still using ACLs. We both see this as a big limitation, and so something to think about here.
After @sergejspomer posted his Master’s thesis about Solid ACLs there was a very useful discussion on the Safe forum between Serge and Jim Collinson exploring both approaches from the points of view of each project’s implementation, so I pointed Christopher to that, and specifically where Jim explains his ideas here.
1 Like
@happybeing do you or SAFE or Jim Collinson take the view that ACLs are not useful at all?
I think they are not as [cough] capable. Not something I’ve studied, I’ve just followed the discussions, but I think you get a lot more functionality with object capabilities.
I will as usual engage in some lame and probably irrelevant speculation…
Access control lists are like policies. Object capabilities are like keys. So there are places for policies and places for keys. Sometimes keys will be issued in contravention of policies and sometime policies will be issued which make keys useless, like in a hotel with electronic locks and card keys.
There’s nothing to stop you having policies for issuing capabilities. Also, capabilities are more than keys - they can be conditional, time dependent etc.
1 Like
“ocap is authority by possession, as opposed to authority by identity”
says cwebber.
That is really clear and seems to remove potential issues of discrimination based on identity, but then possession becomes everything.
What happens if you lose a capability or are tricked into giving it away? Then maybe you’ll need lawyers and title companies and insurance companies to safeguard your access to your important object capabilities.
Also possession can become the basis of discrimination just like land ownership.
ACL’s versus OCAP
Today I joined the ActivityPub Conference BoF session about Spritely and asked Christopher about “ACL vs. Ocaps” specifically wrt Solid. He thinks the choice for ACL is a bad move on Solid’s part, and gave an elaborate explanation.
It boiled down to that there are 2 vulnerabilities in ACL’s and a couple of ‘non-niceties’. Most important wrt the latter is enormous complexity, especially in decentralized and distributed environments.
I’ll just name the vulnerabilities here:
- Ambient authority
- Confused deputy problem
As resources that best explain the issues there are: ACL’s don’t (PDF) and Racets: Faceted Execution in Racket (video).
Lastly and an important aspect mentioned by Christopher were that “ACL’s are just not all that interesting” … as a technology for the future. In that regards Ocaps offer way more possibilities.
Whatever the opinions and viewpoints are, I think it would be really worthwhile if @timbl @RubenVerborgh @justin @megoth et al had a meeting with Christopher. Also, if the whole Fediverse decides to go the Ocap direction, then it would be a real missed chance if Solid wasn’t that attractive anymore given the ACL approach.
(Note: I am not in the know of any prior discussions that already took place, and what the nature of missed opportunity might be. I am just cross-communicating because I would love to see How Solid and ActivityPub complement each other best)
5 Likes
Hello! As a forewarning, don’t expect me to do a good job catching up on this but feel free to reach out to me if I should follow up. But I felt the need to clarify one thing: the Racets talk was meant to be in contrast as a non-ocap approach that has an explosion of complexity around its code to handle access control that, if you read Jonathan Rees’s "Security Kernel based on the Lambda Calculus (though I can’t post since I’m a new user), you’ll see how much simpler things can be. The real a-ha is when you realize that the code for the ocap approach could be pretty much just all the normal programming code (scheme here, but Javascript is also possible; the Agoric folks are trying to enable the same things in js-land). It turns out that normal argument passing to functions, object methods, etc is our security model. We already had it, if we took it seriously!
I’m happy that in ActivityPub we achieved a lot of interop availbility through Linked Data Notifications. I’ll admit though, the main reason I haven’t paid much attention to SOLID is because it has an ACL approach. I’m confident that this will hold SOLID back from its lofty and honestly really thrilling goals. And I’m a linked data fan… there’s a reason that AP is also linked data
It took a long time, and research, for me to come to the conclusion that I couldn’t do the kinds of things I wanted to do in Spritely with an ACL approach and that an ocap approach was necessary. I think an ocap approach could compose nicely with SOLID, and I vaguely read that the SAFE on SOLID approach is doing so though I haven’t honestly fully followed it…
I’m semi-happy to discuss further, but I’m also very busy; I’m interested more in discussing really if the SOLID core developers are interested. If not that’s totally cool and I wish the SOLID project well
7 Likes
@cwebber has some very good news news about the Spritely project:
Jessica Tallon will start to work on the project, and specifically on the implementation of Petnames with an implementation in Goblin Chat.