►
Description
As social systems grow, we need patterns to allow us to grow social connections while maintaining safety and trust. Ocaps (object capabilities) fill this void by allowing consensual connections between parties, and even allows participants to intentionally share those connections with others. But how can we allow for the establishing of new connections without opening us up to runaway abuse?
This talk discusses Horton, a "whodunnit" layer built on top of object capabilities, allowing us to establish connections while preserving accountability and the ability to reason about trust with a reduction of fear.
A
An
activity
pub
conf
itself
happening
right
now
is
having
mark
Miller
as
a
keynote
for
activity,
pub,
conf
and
and
and
so
I
admire
mark
for
a
number
of
reasons,
one
of
which
is
that
he's
the
only
person
I
know
who's
extremely
well
informed
and
also
still
seems
optimistic
about
the
future
of
humanity.
So
that's
one
and
also
I
had
also
say
that
I
I
had
a
conversation
with
him
once
where
we
were
walking
around.
We
were
talking
about
some
of
the
standards
work
that
he's
done
and
I
said
well.
A
Do
you
think
that
some
of
that
standards
work
his
Mark's
done
quite
a
bit
on
JavaScript
standardization?
Do
you
think
that
that
was
a
distraction
from
your
main
goal
of
you
know
advancing
you
know,
security
in
the
space
and
Mark
said.
Oh
no,
I
think
that
I'm
very
proud
that
the
last
30-plus
years,
I've
managed
to
stay
focused
on
the
vision
and
everything's
culminating
right
now,
and
so
I
wanted
to
give
a
little
bit
of
a
history
about
what
Mark's
background
is
and
how
it
relates
to
this
space.
A
So,
first
of
all,
Mark
Miller
was
one
of
the
main
people
in
Xanadu,
which
was
a
precursor
to
the
worldwide
web
that
we
have
today
and
informed
many
of
its
ideas
and
maybe
even
had
a
lot
of
ideas
that
were
better
than
what
we
ended
up
getting.
But
you
know
some
of
those
ideas
are
actually
coming
around
today.
As
we
speak,
you
know.
Sometimes
they
just
things
are
just
before
their
time
and
yet
but
I
think
that
really
where
the
journey
starts.
A
Here
is
the
egg
org
papers
that
Mark
Miller
wrote
in
1988,
which
laid
out
a
like,
really
out
their
vision
for
a
society
of
distributed,
computational
machines
and
where
humans
are
in
that
loop
of
computation,
and
it
really
is
a
society.
But
my
understanding
is
Mark.
Didn't
know
how
to
build
that
Society
of
computing
machines
when
he
first
wrote
it
is
that
correct,
and
so
he,
but
he
ended
up
learning
that
through
his
friend
norm.
A
My
friend
Ashish
Lauria,
who
is
working
at
a
sandstorm
at
the
time,
said
yeah,
but
everybody
who's,
really
interested
in
oh
caps,
is
really
excited
about
e
and
I
tried
looking
at
the
e
website
and
I
was
like
what
the
heck
is.
This
thing
and
I
could
not
make
sense
of
it
initially,
and
it
really
took
until
we
met
in
person
and
mark
patiently
explained
a
lot
of
ideas
and
drew
out
some
of
the
things
and
said
you
need
to
see
these
things.
Animated
and
you're
gonna
see
some
of
marks.
A
Animations
of
these
things
live
to
really
make
sense
of
it,
and,
aside
from
that,
if
all
that
seems
to
extract
from
you,
you
actually
use
mark
Miller
EES
work
every
day,
because
mark
has
really
been
pivotal
in
the
extraordinary
accomplishment
of
making
JavaScript
the
only
language.
That's
gotten
better
over
time
rather
than
worse,
and
a
lot
of
that
is
because
many
of
the
good
ideas
in
JavaScript
actually
came
straight
from
e.
A
For
example,
promises
in
JavaScript
are
straight
out
of
E
and
many
other
things
as
well,
and
there's
more
things
on
the
horizon
that
are
really
kind
of
like
have
been
bubbling
up
that
have
been
there
in
the
background
that
that
are
just
starting
to
hit
the
community
and
mark
has
also
been
heavily
involved
in
the
development
of
what
the
web
assembly.
So
you
use
a
lot
of
work.
That's
directly
tied
to
the
stuff:
Marc
has
done
every
day,
whether
you
really
realize
it
or
not.
A
So
now,
Marc
works
at
an
organization
called
a
gorrik
which
describes
itself
as
the
leader
in
smart
contracts,
and
it
really
is
a
leader
there,
but
I
think
a
lot
of
people
in
this
community
probably
have
a
misunderstanding
of
what
smart
contracts
is
because
do
to
etherium.
Most
people
parse
smart
contracts
as
being
code.
A
That
runs
on
a
blockchain,
but
it's
not
quite
that
it's
really
about
enabling
secure
the
secure
collaboration
between
untrusted
entities
online
and
and
the
work
proceeds
blockchains
by
about
25
years
or
so
so
you
know,
meeting
mark
in
person
was
in
many
ways
really
a
life
and
career
changing
event.
For
me,
it
really
set
a
new
track
along
the
things
that
I
thought
was
possible.
I
was
interested
in
object
capabilities,
but
in
many
ways
I
often
dismissed
them,
because
I
was
I.
A
I
thought
all
these
ideas
look
really
good
on
paper,
but
they're,
not
usable
and
and
so
I
kept
coming
up
to
mark
and
saying
yeah.
Oh
caps
are
really
great,
but
I
can't
do
this
thing
and
mark
would
say:
oh,
we
actually
already
figured
that
out.
Here's
how
to
do
this
thing
and
I'd
be
like
oh,
ok
and
then
I'd
be
like
ok
yeah,
but
they
can't
do
this
thing
and
then
mark
would
be
like.
Oh,
we
figured
that
out
and
I'm
like
oh
yeah.
A
Ok,
this
next
thing
solves
another
10
problems,
I
hadn't,
I
didn't
realize
that
ok,
you're
right
and
then-
and
that
was
kind
of
a
long
series
of
engagements.
That
mark
was
very
patient
with
me
in
my
exploration
of
that.
So
one
of
the
biggest
ones
of
these
things
for
those
who
know
object,
capabilities
are
about
reference
or
possession
based
Authority
the
same
way
that
your
cars
historically
at
least
didn't
care
who
was
driving
them.
It
was
whoever
had
the
key
was
able
to
turn
it
on
and
make
it
run.
A
But
human
beings
care
a
lot
about
identity.
Who
do
you
decide
to
give
a
car
key
to
and
oftentimes?
That
decision
is
based
off
of
an
accrual
of
identity
information
in
your
mind,
and
it
seemed
to
me
that
oak
apps
just
didn't,
have
any
way
to
do
with
this
and
and
and
mark
really
changed
my
mind
when
we
started
talking
about
pet
names
and
then
when
he
started
talking
about
horton.
Hence
the
doctor
sois
reference
and
by
the
way,
dr.
A
And
and-
and
it
turns
out,
all
these
ideas
can
tie
together
and
when
we
tie
them
together,
it
actually
opens
us
up
from
some
of
the
things
that
we
really
didn't
know
that
we
could
be
do
before
and
we
have
an
opportunity
to
expand
far
beyond
merely
the
kind
of
social
network
stuff
that
we've
seen
in
web
2.0,
land
of
Twitter
and
Facebook
and
stuff
like
that.
Something
way
beyond
that,
but
we're
going
to
need
the
ideas
that
Mark
and
his
colleagues
have
been
working
hard
on
in
order
to
be
able
to
do
that.
B
A
Way,
I'm
not
gonna
hand
over
the
mark,
I
wanted
to
say
one
more
thing.
This
is
a
real
personal
request.
So
when
Morgan
and
I
often
sit
down
what
we
do
for
fun
in
the
evenings
is
to
sit
down
and
read
and
drink
tea,
because
we're
boring
people
and
we
like
being
boring
people
right
and
you
know
we
both
choose
our
books
very
frequently.
This
is
the
book
I
end
up
reading.
Do
you
recognize
this?
Can
you
say
what
this
book
is.
A
A
B
Thank
You
Chris-
that
was
an
extraordinary
introduction.
I,
want
to
say
that
this
30-year
journey
was
also
a
journey
with
many
other
people
who
also
were
very
much
collaborators
with
me
on
this
journey
too
many
people
to
list,
but
I
want
to
call
out,
just
in
particular,
the
goreck
papers
were
co-authored
with
Eric
Drexler
and
Dean.
Trouble
has
been
of
the
closest
partner
with
me
through
many
phases
of
the
journey,
going
back
to
Xanadu,
going
back
to
the
origin
of
promises
and
through
today,
as
co-founder
of
Agora.
B
Tens
of
thousands
of
years
ago,
our
social
systems,
humanity,
lived
in
systems
that
were
neither
robust
nor
open.
We
were
huddled
together
in
small
tribes,
where,
within
the
tribe,
we
had
nice
social
systems
of
cooperation
with
people
that
we
knew
you
can
think
of
those
as
these
islands
of
green
fields,
of
cooperation
in
this
vast
sea
of
poisonous
violence,
violence
both
from
creditors
and
from
other
people
that
were
generally
assumed
to
be
hostile
and
often
were
hostile.
B
Over
time,
we
learned
to
invent
systems
that
enabled
us
to
cooperate
better
with
each
other
various
patterns,
various
new
institutions
and
over
time,
the
co-operative
networks
between
us
grew
to
through
the
phase
transition
to
where
they
became
the
spanning
networks
that
covered
the
world.
These
vast
networks
of
cooperation
becoming
this
world
covering
green
fields
of
cooperation
with
these
isolated
pockets
of
violence
remaining.
B
But
when
you
actually
do
a
good
comparison
with
history
today,
our
world
is
extraordinarily
less
violent
than
it's
ever
been,
and
on
this
wonderful
world
of
not
of
mostly
nonviolent
cooperative
interaction,
there
emerged
a
new
level
of
abstraction,
which
is
the
online
world,
the
world
of
the
Internet,
the
world
of
the
web,
of
the
world
of
email
and
in
its
young
days
when
it
first
came
about.
It
was
also
this
very
pleasant
worldwide
friendly
cooperative
framework
in
which
almost
all
interactions
were
pleasant,
and
we
could
approach
it
with
it.
B
With
this
simple,
open-minded
expectation
of
cooperation
and
then
a
new
form
of
problem
started
growing
on
the
e
on
the
online
world
and
to
understand
the
nature
of
the
new
problems
that
we're
facing.
We
need
to
understand
the
difference
in
security
between
the
physical
world
and
the
online
world,
and
one
example
that
many
of
us
might
remember
is
in
the
physical
world.
We
always
had
the
problem
of
junk
mail
where
it
was
a
perpetual
annoyance.
B
It
was
a
perpetual
annoyance
we
all
put
up
with
where
we
would
pick
up
our
mail
and
then
we
would
manually
sort
through
and
throw
away
all
the
junk
mail.
But
it
was
an
annoyance
that
we
were
able
to
put
up
with
because
it
was
still
feasible
to
sort
through
the
mail
and
throw
away
the
junk
mail
with
the
coming
of
email.
We
had
many
benefits,
but
we
also
had
this
explosion
of
spam.
B
There
are
two
fundamental
differences
between
security
in
the
physical
world
and
security
in
the
online
world.
In
the
physical
world.
We
cannot
build
impenetrable
walls,
we
can
build
stronger
and
stronger
walls,
but
for
every
stronger
wall
there
is
a
stronger
degree
of
force
that
can
be
applied
to
it
to
penetrate
the
wall.
B
By
contrast,
in
the
online
world,
we
have
cheap,
perfect
boundaries.
Our
hardware
gives
us
address
space
boundaries
which
we
use
to
build
operating
systems.
Our
memory,
safe
programming,
language
languages,
give
us
object,
encapsulation
and
modern
cryptography
gives
us
cryptographic
primitives,
which
are
close
enough
to
perfect
for
most
purposes.
Most
breaks
and
cryptographic
systems
are
not
due
to
weaknesses
in
the
cryptographic
primitives.
B
So
as
far
as
just
an
isolation
mechanism,
when
all
you're
trying
to
do
is
create
a
boundary
create
isolation.
These
mechanisms
are
perfect.
Of
course,
we
do
a
lot
more
than
just
isolation,
so
the
the
overall
picture
is
more
complicated,
but
the
other
fundamental
difference
is
bad
news
for
the
online
world.
In
the
physical
world,
an
attack
takes
scarce
resources
of
the
attacker.
If
nothing
else,
it
takes
some
of
the
attackers
attention.
B
People
who
make
safes
talk
about
work
factor
work
factor
is
the
effort.
The
attacker
needs
to
engage
in
to
overcome
the
spent
D
defenses
and
if
the
expense
of
the
work
factor
is
greater
than
the
value
of
the
valuables
and
the
safe
you're
winning
in
the
online
world,
the
attacker
can
use
automation
to
multiply
their
attack
by
billions
at
no
cost
to
themselves
to
degree
that
there's
any
cost
at
all.
It's
often
an
attack.
B
The
danger
is
that
we
react
to
that
flood
of
poison
by
retreating
back
into
fortresses
back
into
isolated
communities
where
we
have
nice
friendly
interaction
within
the
community,
but
we're
cut
off
from
the
larger
world
and
we're
not
welcoming
to
strangers.
That
would
be
a
tremendous
tragedy
for
us
to
lose
this
sense
of
friendly
worldwide
cooperation.
A.
B
Way
to
think
about
the
trade-offs
is
in
terms
of
this
curve,
there's
always
a
trade-off
curve
between
cooperation
and
safety.
In
the
early
days
of
the
internet,
we
were
all
naively
cooperative
with
each
other,
not
knowing
that
the
nature
of
our
cooperation
left
us
unsafe.
We
didn't
know
it
because
no
one
was
attacking
us
as
the
attacks
started.
Increasing
the
danger
is
that
we
simply
go
to
the
other
end
of
the
trade-off
curve
and
acquire
our
safe
at
the
cost
of
sacrificing
our
cooperation
at
a
distance,
our
cooperation
across
vast
networks.
B
What
we
need
to
do
instead
is
lift
the
trade
off
curve.
We
can
never
get
rid
of
the
trade
off
curve,
there's
always
a
trade
off,
but
if
we
lift
the
trade
off
curve,
then
for
the
same
amount
of
safety,
we
can
engage
in
more
cooperation
for
the
same
amount
of
cooperation.
We
can
engage
in
it
in
a
safer
manner.
B
B
So
the
decentralized
naming
means
that
we're
cannot
rely
on
a
central
naming
authority,
but
we
want
names
that
are
free
from
impersonation,
so
no
one
can
seem
to
be
you.
If
someone
can
seem
to
be
me
in
talking
to
my
buddy,
then
they
can
be
fishing,
my
buddy
to
lead
them
to
interact
with
the
attacker
rather
than
in
there,
when
my
buddy
thinks
they're
interacting
with
me,
but
we
want
to
solve
the
impersonation
problem
without
centralized
naming
authorities,
because
centralized
naming
authorities
creates
a
censorship
problem.
B
We
want
names
that
no
one
can
take
away
from
us
and
names
that
no
one
can
prevent
someone
from
communicating
with
us
if
they
know
our
name
and
we
want
them
to
be
able
to
communicate
and
a
way
to
understand
what
these
two
constraints
are
together
is
by
analogy
with
another
decentralized
system
that
has
shown
that
essentially
the
same
two
security
problems
of
are
simultaneously
solvable.
An
account
that
you
have
in
Bitcoin
is
keyed
to
the
name
of
the
holder
of
the
account
ie.
The
account
on
the
on
the
chain
has
a
public
key.
B
The
holder
of
the
account
knows
the
corresponding
private
key
and
has
generated
the
private
key
public
key
pair
impersonation.
The
resistance
to
impersonation
is
no.
One
else
can
generate
a
private
key
that
has
the
same
public
key
and
therefore
no
one
else
can
spend
your
money
and
the
the
fact
that
you
generated
the
key
pair
you
didn't
depend
on
anybody
else
to
do
that
and
you're
using
it
in
a
system
that
is
itself
decentralized
means.
B
No
one
can
can
stop
you
from
spending
your
money
when
you
cross
a
border,
no
matter
what
the
capital
controls
are
no
matter
what
the
border
rules
are,
if
you've
memorized
your
keys.
If
in
that,
in
a
case
where
things
are
desperate
enough,
where
you
need
to
do
that,
you
can
still
cross
your
border
and
no
one
can
stop
you
from
taking
your
money
effectively
with
you.
So
we
want
the
same
kind
of
security
and
decentralization
for
our
knowledge
and
ability
to
communicate
with
each
other.
B
So
there's
two
fundamental
safety
problems.
We
need
to
solve
two
basic
approaches
to
operating
the
safe
manner,
there's
which
I
divide
into
the
proactive
and
the
reactive
proactively.
We
want
to
be
able
to
engage
in
activities
in
such
a
way
that
we're
safe
by
construction
that
we
that
we
operate
in
such
a
way
that
by
default,
we're
not
creating
unnecessary
dangers,
but
nevertheless,
sometimes
will
mess
up,
sometimes
will,
for
example,
hand
out
Authority,
inappropriately
and
for
whatever
reason,
sometimes
the
the
the
system
will
operate
in
a
way
that
is
less
safe
than
we
intended.
B
So
the
core
of
any
security
paradigm
is
its
access
control
paradigm,
and
there
are
two
fundamental
access
control
paradigms,
which
are
the
authorization
based
paradigms,
for
which
the
main
example
is
object.
Capability
and
the
identity
based
access
control
paradigms,
for
which
the
main
example
is
access,
control,
lists,
access,
control
lists
are
the
ones
that
you're
familiar
with
because
all
of
our
operating
systems,
all
the
industrial
operating
systems
that
people
have
experienced
are
all
based
on
identity,
based
access
control
and
the
key
thing
about
identity
based
access
control
is
all
access.
B
Decisions
are
rooted
in
the
question.
Who
are
you?
You
perform
an
action,
the
action
is
tagged
with
your
identity,
and
then
your
identity
is
looked
up
somehow
and
depending
on
who
you
are,
the
action
is
either
allowed
or
disallowed,
and
this
is
has
many
intuitive
benefits,
but
it
also
has
many
problems
and
there's
a
long
literature
on
the
problems.
B
The
strength
of
this
paradigm
is
its
support
for
reactive
damage
control,
but
the
problems
make
it
very
poor
at
proactively.
Building
safe
arrangements
object
capabilities.
On
the
other
hand,
its
advantage
is
very
much
on
the
side
of
proactively
building
safe
arrangements,
as
Chris
mentioned,
the
car
key
is
a
perfect
example.
The
car
key
is
a
right.
It's
a
bearer
right.
It's
one
that
I
I
have
the
right
by
holding
the
key
and
if
I
want
to
lend
Chris
the
ability
to
drive
my
car
I
just
hand
them
the
key
I.
B
B
There's
really
three
logical
ways
to
go
about
this
one
is
we
can
start
with
the
foundational
mechanisms
of
access
control
lists
and
we
can
you
those
mechanisms
in
a
surprising
manner,
to
support
the
benefits
of
the
left-hand
column
and
there
have
been
some
very
good
systems
that
have
done
this
Polaris
plash
and
bit
frost,
and
these
are
interesting,
they're
worth
studying
if
you're
stuck
with
access
control
foundations,
it's
worth
engaging
in
those
techniques
too,
and
to
use
them
in
a
safer
manner.
But
these
systems
have
problems
under
composition.
B
They
don't
compose
well
and
they
only
help
one
more
level
deep
and
then
they
stop
helping.
So
experience
has
shown
us
that
this
is
that
this
helps,
but
it's
not
the
solution
that
we
can
take
forward
in
the
1970s
and
1980s.
There
were
a
variety
of
systems
that
engaged
in
what
we
call
hybrid
capability
system.
B
This
is
a
very
intuitively
obvious
approach
for
combining
both
strengths
here,
which
is
just
build
foundations
that
have
both
the
object,
capability
mechanisms
and
the
access
control
list
mechanisms
in
the
foundations,
and
then
an
action
is
allowed
only
if
it
is
allowed
both
by
the
rules
of
object
capabilities
and
by
the
rules
of
access
control
list
systems,
and
unfortunately,
these
these
systems
also
showed
problems
under
composition.
We
built
these
in
order
to
gain
the
best
of
both
worlds,
and
we
did
not
succeed
at
doing
that.
In
some
ways.
B
This
way
of
combining
the
attributes
gave
us
the
worst
of
both
worlds.
So
really
there's
only
one
thing
left
to
try,
which
is
start
with
pure
object
capability
foundations
and
then
try
to
build
the
attributes
of
the
right-hand
column
by
patterns
by
creating
patterns
of
the
use
of
object,
capability
foundations
to
get
those
benefits.
B
But
first,
since
it's
unfamiliar
I'm,
going
to
explain,
object,
capabilities
themselves
and
I
want
you
all
to
pay
a
lot
of
attention,
in
particular
to
the
visual
language
that
I'll
be
using
on
on
this
slide,
because
it's
important
to
understand
this
visual
language
called
a
reusing.
This
visual
language
throughout
the
rest
of
the
talk
and
I'll
be
explaining
object,
capabilities
in
terms
of
objects
of
an
object-oriented
programming
system,
because
it's
the
best
and
closest
analogy,
but
I
want
to
emphasize
that
object.
Capabilities
are
an
abstract
logic
that
can
be
built
on
many
different
substrates.
B
B
It
is
another
way
common
among
object,
programmers
which
is
a
sending
the
message
foo
of
C,
sending
that
message
to
B
and
the
the
parameter
C
is
a
copy
of
A's
pointer
to
C,
and
a
is
able
to
do
this
because
a
already
has
a
pointer
to
B
and
a
already
has
a
pointer
to
C
and
when
B
receives
the
message.
B
now
has
a
pointer
to
C.
B
So
the
main
difference
between
objects
and
object
capabilities
is
that
these
messages
sent
on
these
references
in
an
object
capability
system
are
the
only
means
by
which
an
object
can
cause
effects
on
the
world
outside
of
itself.
The
references,
the
thin
arrows
are
the
permission
system
in
the
initial
conditions,
when
B
did
not
have
a
pointer
to
C,
B
could
not
invoke
C
B
could
not
send
it
a
message.
B
Was
this
message
sent
by
A
or
B,
but
there's
a
problem
with
that
approach?
That
was
essentially
the
hybrid
capability
approach.
There's
a
problem
with
that
approach,
which
is
objects,
are
ephemeral.
They
come
and
grow
with
great
great
velocity.
By
the
time,
somebody
looks
at
what
happened
as
a
result
of
messages
to
see
and
decides
that
a
particular
message
in
retrospect
should
be
just
judged
as
abusive.
There
is
no
object.
B
The
the
larger
unit,
which
let's
say,
is
a
person
that
these
objects,
executing
on
Alice's
behalf,
have
sent
messages
that
in
retrospect,
we
judge
to
be
abusive,
so
we're
going
to
stop
accepting
messages
from
Alice.
So
these
were
these
large
grain.
Responsible
identities
can
be,
people
can
be.
Corporations
can
be
other
organizations.
The
key
thing
is
that
there's
something
that's
at
a
granularity
where
they
have
a
lifetime
in
an
identity,
that's
meaningful
to
a
human
being
who's.
Looking
at
the
abuse
and
making
a
judgment
about
cutting
off
access.
B
So,
proactively,
when
abuse
has
not
happened
yet
and
no
one
has
made
any
damage
control
decisions,
we
want
a
system
that
just
operates
as
a
simple
object.
Capability
system,
in
which
object,
a
that
happens
to
be
run
by
Alice,
can
send
a
message
to
object.
B
that
happens
to
be
run
by
Bob.
So
before
any
abuse
has
happened,
we
want
to
build
a
system
in
which
a
can
act
as
if
it's
pointing
directly
at
B
and
where
a
when
it
executes
that
piece
of
code
sends
a
message
towards
B.
B
But
what
actually
happens
to
enable
the
reactive
damage
control
is
that
the
message
doesn't
immediately
go
all
the
way
to
the
object
B.
Rather,
it
goes
to
to
Alice's
outgoing
sentry,
and
the
Sentry
first
asks
the
question.
This
is
Alice's
sentry
for
the
object
that
represents
the
object
B
with
in
Alice.
B
The
sentry
first
asks
do
I
still
make
use
of
Bob
services
and
since
no
damage
has
happened
yet
the
answer
at
this
point
is
yes,
but
the
century
still
records
that
we're
asking
Bob
to
deliver
the
food
to
B
notice
that
we're
recording
Bob
as
the
responsible
entity.
Even
though,
even
though
at
the
object
level
we're
sending
the
message
to
be
having
recorded
that,
we
send
an
encoding
of
the
message
over
to
Bob's
incoming
sentry,
which
first
of
all
does
the
check,
do
I
still
honor
Alice's
requests
and
since
again,
since
no
abuse
has
happened.
B
B
B
There
have
been
systems
that
have
been
built
by
these
principles.
The
scoups
system
at
HP
Labs,
secure
cooperative
file
file
sharing,
which
was
a
decentralized
farm
file
sharing
system
where
various
parties
could
arrange
to
propagate
file
updates
to
each
other
and
to
keep
track
of
who
they've
given
permission
to
get
a
file
update
and
who
they've
given
permission
to
receive
a
file
update
from
who
I've
given
permission
to
update
my
copy
of
the
file
based
on
their
changes,
and
the
scoop
system
keeps
track
of
the
updates.
B
So,
if
I
find
that
a
particular
file
of
mine
has
become
full
of
garbage
and
I
can
see
that
the
update
itself
came
from
Marcus
and
I
can
decide
to
cut
off
Marcus's
further
access,
so
I'm
holding
Marcus
responsible.
But
what
is
the
unit
that
I'm
holding
responsible?
It's
a
little
bit
too
simple
to
say
that
the
unit
is
simply
Marcus
the
person
these
spheres
represent
our
units
of
responsibility
in
this
system.
B
Alice
the
human
interacts
with
the
system
by
interacting
locally,
with
her
software
running
on
her
machine
I'm,
assuming
a
fully
federated
system
here,
and
she
interacts
with
that
software
through
her
local
user
interface.
Her
software
then
sends
messages
over
the
network
to
Bob
software
that
then
renders,
through
Bob's
user
interface,
information
that
Bob,
the
human
being
can
then
react
to
if
Bob
is
getting
abusive
messages
that
is
from
the
Alice
unit.
B
Bob
doesn't
need
to
know
or
care
are
these
abusive
messages
coming
because
Alice
is
running
malware
or
because
Alice
has
turned
evil
and
decided
to
send
malicious
messages,
so
in
both
cases,
Bob
will
simply
hold
Alice
responsible
for
the
bad
action
of
her
objects.
That's
not
a
moral
judgment,
the
bat
if
Alice
is
running
malware,
which
is
ascending,
the
bad
messages,
it's
not
Alice's
fault
in
some
sense,
but
still
bob
has
to
hold
Alice
as
a
whole
responsible
for
the
bad
actions
of
her
software.
In
the
absence
of
any
other
evidence,.
B
With
this
picture,
we
can
now
better
understand
what
the
issues
are
in
doing
a
decentralized
naming
system
with
integrity,
because
there
are
several
different
languages
going
on
here
that
are
being
translated
between
if
Alice,
let's
say,
wants
to
send
a
message
to
Bob,
where
Alice
is
self
telling.
Bob
here
use
this
lamp
she's
communicating
to
Bob
permission
to
turn
this
lamp
on
and
off.
B
So
what
Alice
sees
through
a
user
interface
is
something
that
has
to
be
Union
meaningful
at
the
user
interface
level,
something
that
Alice
can
feasibly
understand
what
it
is
she
means
to
be
designating,
but
where
the
meaning
of
those
designators
is
really
what
it
is.
They
designate
that
she's
sending
the
message
to
the
person
that
she
thinks
of
his
Bob
and
that
the
lamp
that
she's
giving
permission
to
Bob
to
switch
on
and
off
is
the
lamp
that
she
thinks
she's,
giving
permission
to.
B
B
No
one
can
appear
to
Bob
to
be
a
different
Alice
than
the
one
that
that
Bob
thinks
of
as
Alice
and,
in
particular,
with
regard
to
the
lamp
that
no
other
lamp
can
can
invade
the
system
and
appear
to
Bob
to
be
the
lamp
that
Alice
meant
and
censorship.
Resistance
means
that
we
cannot
depend
on
an
external,
centralized,
naming
Authority.
B
It
needs
to
be
human
meaningful
because
these
names
have
to
show
up
in
the
respective
user
interfaces,
so
any
user
interface
that
tries
to
identify
something
by
showing
a
human
being
a
big
cryptographic
key,
is
a
failure
that
should
never
need
to
appear
in
a
user
interface
where
a
human
being
needs
to
understand
what
entity
it
designates.
So
we
need
some
kind
of
user
human,
meaningful
designators
such
as
human,
meaningful
names,
and
it
needs
to
be
globally
meaningful.
B
They
never
know
what
our
pet
name
is,
what
our
contact
list
name
is
for
them.
So
when
Alice
calls
Bob,
she
might
look
up
Bob
in
her
contact
list.
The
alice's
software
then
translates
between
her
contact
list
and
the
phone
number.
Now
the
phone
number
is
a
numeric
address,
that's
not
human
meaningful,
but
it
still
depends
on
the
phone
company.
So
it's
not
censorship
resistant,
but
imagine
that
was
a
cryptographic
key.
B
Instead,
when
Bob
receives
the
phone
call,
he
his
software
gets
the
phone
number
of
Alice
and
once
again
translates
in
the
other
direction
through
his
contact
list
from
the
address
back
to
the
pet
name
and
the
levels
of
translation
that
we
saw
between
the
various
layers.
As
we
went
from
Alice
the
human
to
Bob,
the
human
correspond
to
the
opportunities
to
do
this.
Translation
in
the
system.
B
In
a
social
network,
the
interesting
introduction,
the
interesting
other
objects,
other
things
for
Alice
and
Bob
to
talk
about
are
not
lamps,
but
other
people
and
other
people
themselves
are
also
have
their
own.
Software
are
and
are
in
the
same
kind
of
relationship
as
Alice
and
Bob.
So
before
we
get
into
the
technical
details,
I
want
to
mention
something
that
happened
to
me
this
morning
on
the
way
to
activity
pub,
which
is
I
called
uber,
and
then
something
amazing
happened.
B
B
Why
is
it
that
this
works
and
it
works
so
well
that
we're
now
starting
to
take
it
for
granted,
and
the
reason
is
that
uber
represented
by
the
radio
tower
in
the
left
hand
corner
in
the
role
of
Alice
has
communicated
to
both
Bob
and
Carol
enough
information
that
they
can
authenticate
each
other
now
what
elf
entik
eight
each
other?
What
does
that
mean?
It
doesn't
mean
that
Carol
knows
precisely
who
Bob
is
that
Bob
is
a
particular
person
that
lives
at
a
particular
address,
because
it
wouldn't
be
meaningful
to
her
anyway.
B
That's
not
the
question
that
she's
asking
the
question
that
she's
asking
is:
is
this
the
Bob
that
uber
meant
to
introduce
me
to,
and
likewise
Bob
is
asking?
Is
this
the
Carol
that
uber
meant
to
introduce
me
to
so
uber
provides
them
enough
information
to
authenticate
each
other
which
the
ride
happens
and
I
arrived
at
activity
pub?
B
So
what
this
looks
like
in
terms
of
the
elements
in
our
system
is
that
Alice,
Bob
and
Carol
are
both
these
spheres
with
the
human
component
and
an
object
component
and
Alice
sends
to
Bob
a
message
using
her
pet
name
for
Bob
in
the
to
field.
But
the
key
thing
that
this
system
does,
that
our
phones
don't
do
is
she
can
use
her
pet
name
for
Carol
in
the
body
of
the
message?
And
she
does
it
in
such
a
way
that
her
software
understands
that
that's
intended
to
be
a
use
of
a
pet
name.
B
B
B
Well,
the
answer
is
no,
and
the
answer
is
necessarily
no,
irrespective
of
a
mechanism
in
any
such
system.
At
this
point,
the
answer
must
be
no
that
if
carol
has
only
met
Bob
online
through
this
one
introduction
that
Carol
has
to
wonder
is
Bob
a
pseudonym
for
Alice
and
because
Carol
is
can't
tell
that
Bob
is
not
a
pseudonym
for
Alice,
whatever
bad
behavior
Bob
engages
in
Carol
has
to
hold
Alice
responsible
for
it.
Well,
it's
still
meaningful
for
Carol
to
hold
Bob
responsible
and
for
her
to
do
all
the
bookkeeping
needed
to
do
that.
B
On
the
other
hand,
if
a
bad
message
comes
from
Bob
well,
Carol
has
no
history
with
Bob
Carol,
holding
Bob
responsible
means
that
one
bad
message
is
enough
to
cut
off
Bob's
access,
but
Carol
should
still
demerit
Alice's
access
by
one
make
suspect
that
Alice
might
be
starting
on
a
pattern
of
abuse,
but
know
that
Bob
might
be
independent
and
bob
has
the
same
problem.
He's
never
heard
of
Carol
before
is
Carol
a
pseudonym
for
Alice.
B
B
What
this
hover
is
showing
in
secure
scuttlebutt,
let's
say
showing
to
Carol,
is
that
all
of
these
different
people
have
introduced
Carol
to
the
same
Bob
and
because
they're
all
introducing
her
to
the
same
Bob.
That
gives
Carol
significant
evidence
that
Bob
is
independent
of
any
one
of
them
in
our
notation.
We've
gone
from
this
situation
to
this
situation
when
Dave
performs
a
second
introduction
between
Carol
and
Bob.
B
B
B
Capabilities
have
the
slogan:
only
connectivity
begets
connectivity.
If
you
have
two
isolated
subgraphs,
they
remain
forever
isolated
because
no
one
can
introduce
them.
So
this
can
degenerate
into
the
fortresses
that
I've
talked
about.
It
can
be
generate
into
the
phenomena
that
sometimes
called
the
old
boys
network,
where
a
stranger
coming
in
from
the
outside
has
no
way
to
the
knock
on
the
door
of
a
community
that
they'd
like
to
participate
in
and
enter
and
become
accepted
and
become
friends
with
the
people
in
that
community.
B
And
that
means
also
that
the
communities
cannot
become
connected
to
each
other.
So
we
want
to
add
a
cold
calling
primitive,
which
Chris
described
yesterday.
Of
what
I
mean
by
cold
calling
is
people
in
the
network
want
to
be
able
to
say
here
the
inbox?
Here's,
the
separate
inbox
at
which
I
will
accept
messages
that
don't
come
from
an
introduction.
B
The
thing
that
prevented
the
explosion
with
the
junk
mail
problem
did
not
prevent
the
irritation.
We
still
got
junk
mail,
but
prevented
the
explosion
of
the
problem
was
the
stamp.
The
stamp
is
a
small,
marginal
cost
per
message
and
for
a
normal,
friendly,
cold
call,
there's
a
small
number
of
stamps
that
you
need
to
spend
for
friendly
behavior.
This
is
not
an
undue
burden,
but
if
you
want
to
send
billions
of
such
cold-calling
messages,
then
suddenly
a
cost
per
message
becomes
a
significant
burden.
B
There
was
a
prior
decentralized
federated
social
network
that
operated
with
these
principles
called
pet
mail.
Pet
mail,
as
you
can
guess
from
the
name,
was
also
a
pet
name
system.
It
also
had
this
logic
of
corroboration,
but
furthermore,
it
had
the
open
public
inboxes
for
cold
calling,
but
it
attached
a
a
per
message
cost
to
the
cold.
Call
it
didn't
do
it
by
stamps.
It
didn't
do
it
by
money
transfer
it
did
it
with
the
CAPTCHA
and
a
CAPTCHA
is
a
perfectly
fine
way
to
cause
per
message.
Overhead
of
the
attacker.
B
So
some
mechanism
still
needs
to
successfully
cause
a
marginal
cost
to
the
attacker.
The
nice
thing
about
stamps
and
nice
thing
about
money
transfer
is
it
also
compensates
the
victim,
as
chris
mentioned
yesterday
now
people
called
calling
me
if
they're
cold,
calling
me
with
messages
that
I
that
I'm
not
interested
in
well
they've
paid
for
the
privilege
and
I've
benefited
by
receiving
their
payments.
B
So
there's
been
some
entry
of
some
degree
of
abuse
into
the
network,
but
with
all
of
this
support
for
attributing
abuse
and
doing
reactive
cutoff
of
further
access,
Dave
can
cut
off
access
of
those
outside
parties
and
Carol
can
decide
that
dave
was
kind
of
naive
and
letting
those
guys
into
the
network.
So
Carol
can
decide
to
interact
or
to
trust
Dave
less,
but
continue
to
interact
with
him.
B
Enabling
us
to
figure
out
how
to
successfully
cooperate
with
strangers
with
other
people
at
a
distance,
allowing
us
to
extend
our
networks
of
cooperation
to
the
point
that
they
that
these
large-scale
networks
of
worldwide
cooperation
through
federated
decentralized
systems
are
the
ones
that
are
the
networks
of
relationships
that
cover
the
world
and
to
beat
back
the
abusive
activities
back
into
isolated
lakes
of
poison.
Within
this
vast
landmass
of
green
fields
of
cooperation,
it's
not
a
perfect
solution,
just
as
it
wasn't
in
the
physical
world.
B
So
we've
rebuilt
an
identity
and
a
system
that
has
the
attributes
that
we've
associated
with
Ackles
we've
rebuilt
an
identity
based
system
for
reactive
damage
control.
On
top
of
our
object
capability
basis,
how
did
we
do
compared
to
identity
based
access
control
systems
that
people
are
familiar
with?
B
And
we're
assigning
responsibilities
were
doing
the
record-keeping
to
assign
responsibility
for
introductions
so
that
Carol,
when
she
receives
abusive
requests
from
Bob,
can
not
only
hold
Bob
responsible
but
understand
the
introduction
structure
by
which
she
came
to
know
Bob
and
can
hold
Alice
responsible
to
an
aid
reduced
extent
for
Bob's
bad
activities.
If
Alice
keeps
introducing
Carol
to
players
that
Carol
doesn't
like,
then
Alice
loses
points
with
Carol.
B
B
We
found
this
repeatedly
that
people
coming
from
object-oriented
programming
can
take
up
object
capability
programming
very
quickly.
What
we've
also
found
is
that
people
coming
from
other
security
paradigms
take
up
object,
capabilities
less
quickly,
because
the
difference
in
the
arrangement
of
computation
and
identity
is
a
bigger
burden
than
the
difference
between
object-oriented
programming
for
functionality
versus
object,
capability
programming
for
both
functionality
and
security.
So
so
learning
object
or
in
programming
was
something
that
took
the
world
20
years
to
do
so.
B
In
addition,
I
should
mention
that
my
company
agaric
is
building
such
a
decentralized
object
capability
system
on
top
of
a
object
capability.
Runtime
for
javascript
javascript
will
seem
surprising,
but
I've
been
on
the
Ekman
script
committee,
since
2007
I
got
the
enablers
as
Chris
was
mentioning
from
II
into
the
JavaScript
standard,
to
enable
JavaScript
to
be
used
as
a
safe
object
capability
programming
language,
and
that
immediately
opens
up
the
ability
for
programmers
to
write
security
patterns
both
using
object
pattern
concepts
that
they're
used
to
and
using
a
language,
that's
familiar
to
them.
B
B
Thank
you
at
a
goreck,
we're
building
support
for
smart
contracting
that
can
realistically
be
used
in
large-scale
collaborative
networks
of
Commerce
and
complex
voluntary
cooperative
interaction.
That
again,
we
hope
to
span
the
globe
to
to
bring
the
world
economy
online
through
these
primitives
and
in
such
a
way
that.
B
B
That's
going
to
be
up
on
YouTube
soon
called
can
blockchains
provide
rule
of
law,
there's
something
like
four
billion
people
in
the
world
that
do
not
have
the
benefits
of
rule
of
law
because
of
the
expense
of
lawyers
and
and
human
adjudicators,
even
in
countries
that
do
have
the
rule
of
law,
it's
often
out
of
reach
practically
to
many
people
in
the
country,
because
the
the
cost
of
using
the
rule
of
law
mechanisms
are
too
great.
A
smart
contracting
fabric
can
enable
those
benefits
at
tiny
costs.
B
B
Are
are
for
whatever
reason
there
is
an
arrangement
such
that
the
mutual
parties
to
the
contract.
You
mutually
trust
the
computer
that
they're
run
on
and
I
wanted
to
focus
on
since
I
said
blockchain
to
us,
a
blockchain
is
only
one
of
many
platforms,
we're
building
a
decentralized
distributed
smart
contracting
fabric
on
top
of
JavaScript
that
runs
in
a
blockchain,
independent
manner,
but
runs
also
across
the
chains
and
across
chains
and
non
chains
across
both
public
and
private
systems,
so
that
it
can
be
a
network
of
cooperation
of
maximum
reach
to
us.
B
The
important
thing
about
a
blockchain
is
it's
a
mutually
trustworthy
computer
so
that
a
program
running
on
a
blockchain
as
the
computer
that
it's
running
on
there
can
be
worldwide
credibility
that
the
program
executes
according
to
what
the
code
of
the
program
says
and
that's
clearly
for
some
contracts.
That's
very
valuable.
Many
contracts
are
local.
They
don't
need
to
be
run
on
public
block
trains.
They
don't
want
the
public
visibility
that
comes
from
running
them
on
public
block
trains,
so
any
other
arrangement
that
the
cooperating
parties
can
come
to
to
mutually
trust.
B
A
We
got
to
wrap
it
up,
I
want
to
say
a
couple
things
real,
quick,
one
and
I
said
I
wouldn't
do
this,
but
I
want
to
elaborate
on
one
point.
Just
the
the
one
thing
that
I
think
is
really
important
to
make
clear
is
that
oh
cap
programming
is
just
normal
programming.
Actually,
if
you
remove
global
State
is
just
pass,
it
argument
passing
between
functions
and
it
doesn't
require
object-oriented
programming.
Even
you
can
do
it
in
functional
systems.
A
A
Oh
I
really
want
to
be
able
to
go
to
yours,
but
it's
at
this
timeslot
and
then
try
to
see
if
we
can
collaboratively
rearrange
the
schedule
so
that
the
people
are
mostly
pretty
happy
and
being
able
to
go
to
the
things
that
they're
really
excited
about
together.
So
that's
that's
what's
happening
now,
so,
let's
get
to
it.