First proposal: what should LispOS feel like?

Alaric B. Williams
Thu, 1 May 1997 20:24:47 +0000

On 30 Apr 97 at 10:15, wrote:

> The protection philosophy of LispOS should be
> "what's in your scope is what you can access".
> If you want to restrict access to a resource,
> just do not export it to everyone's scope!
> Duh -- fine grained access control!

Now, this has long been a point of contention between Fare and I :-)

How would you actually implement such a system, esp. accross
a theoreticall infinite (ie, "unknown and untrusted") network?

How about - object IDs are represented as network addresses
and local addresses with a large enough range to make
scanning for valid addresses next to impossible - and
grant privileges by passing obejct IDs to people, so they
can then see them?

However, that's a bit too simple for practical use. If we
want multiple levels of access to an object, we need
to create multiple virtual objects with different IDs
that can be granted about. Now we have introduced
a problem of confusing object identity with object
access rights - a situation where this raises problems
is the one where an "indexing" object needs to keep track
of objects with a small level of access to them, nothing
more than requesting external features (title, icon,
keywords, etc), but the users who get object IDs from
the indexer will have higher levels of access.

My approach to the security problem is documented
at "", and
I won't go into it now because:

a) Not everyone wants to hear, I expect
b) I'm REALLY tired; I'm only reading my mail
   because I can't sleep, so don't expect great
   feats of lucid explanation :-)

Alaric B. Williams (

   ---<## OpenDOS FAQ ##>---

Plain HTML:

Fancy HTML: