Norman Hardy; 2009 Feb
This note is to explore more thoroughly the ideas I first noted here.
That explanation assumes too much familiarity with capability patterns, and also is vague on some points that have interesting and useful variations.
I explore an interesting trust complexity gamut with the dramatis personæ given above.
- R is aware of Q but not P.
R’s needs are satisfied by the yield of Q’s factory which invoked P’s factory when the q for R was produced.
The p inside q is unknown to R.
This is indeed the normal and standard pattern for complex objects.
- R is aware of P and wants a p in some initialized state that requires clever initial invocations of p.
Q’s factory buys a new p from P’s factory performs the special initialization of p and passes a boxed version of p back to R who invoked Q’s factory.
If it is agreed that there is some property of a q that will continue to apply despite arbitrary invocations of p, then the box can be used later to convince others that p still has the property.
- If there is an algorithm to test a p, by invocations thereof, whether p has some persistent property, then Q program can apply this algorithm on a used p to vouch for a p that has been accessible to untrusted actors.
Some behaviors will require algorithms that have exclusive access to p during the test.
Q would have to acquire exclusive rights in some maner.
The box referred to immutably holds a key.
It will return the key and the box factory will vouch for boxness of the box.
Some boxes (but not those above) will not return the key but will compare the held key with a proffered key.