I want to address here some perceived differences between people and objects to see what software mechanisms may be needed to address the problems of unknown motives of individual people.

Also these attributes of people may sometimes be seen to apply to the objects that people, as programmers, write.

A scenario in the form of a message

Jacob, you can tell Arthur about this if you need his help in finding the mole. It is OK to give him logged access to the agent code name map, but only if you think if it is likely to help.

Jacob evidently has access to the map, perhaps itself logged. Jacob may decide to give Arthur access but will probably want to protect his own skin by wrapping any computer authority he gives to Arthur. If some agent disappears then the logs will be consulted by someone not otherwise named here. There is an incentive not to have known the cover of that agent.

Arthur has his own reputation to protect. If he gets logged authority to read the map from Jacob, that means that Jacob held that authority and could have used it to frame Arthur. (Jacob may be the mole.)

We assume here then that each person has individual secure access to ‘the computer’ by mechanisms we will not further discuss except to say that that person will be able to wield capabilities therein. Access to people within the agency via computer is by trustworthy names which map to capabilities. Access between people may itself be wrapped, each in his own membrane.

This page is meant to stimulate designs. I propose some assumptions merely to limit scope:

• The hardware and kernel are universally trusted.
• A generalized membrane technology may be universally trusted.