[Date Prev][Date Next][Thread Prev][Thread Next][Author Index][Date Index][Thread Index]
- To: <bobp>
- Subject: Doc Stuff
- From: Mark S. Miller <mark>
- Date: Sun, 29 Oct 89 18:22:55 PST
- Cc: <dean>, <ravi>, <XTech>
- In-reply-to: <Bob>,36 PDT <8910290814.AA26370@xanadu>
Date: Sun, 29 Oct 89 01:14:36 PDT
From: bobp (Bob Perez)
Listen to the sound of this, and tell me if it has any basis in reality:
Every document has 2 Clubs associated with it: a Read Club (the set of all
Clubs with Read permission on the doc) and a Change Club (the set of all
Clubs with Change permission on the doc). Several thoughts emerge:
1) Does Change permission imply Read permission, or is it possible to have
the former without the latter?
It is not possible to have change permission without read permission.
Change (or "Edit") permission implies Read permission. This way no
one is left in the wierd position of editing blind. Also, if we had
"change-only", one could not enforce any integrity constraints on the
editing operations as that would reveal state of what's being edited.
2) Which component of the document (ID or state) has the permission Clubs
associated with it? Surely documents (i.e., Berts) have their own permission
Clubs, but don't stamps as well? If I pull your Club out of the Read Club of
my Marketing Plan, then you cannot read those versions of my document
represented by future stamps, but you can read all former versions (read
permission with respect to a particular stamp is irrevocable). It seems to
me that the permissions notions with respect to the different components of
a document (state and ID) are distinct.
Correct. Both Berts and Stamps have permissions associated with them.
It is a property of the world, not just of Xanadu, that I can't
later acually prevent you from accessing any *information* to which I
have earlier given you access, as you may have made your own copy.
What I can do is:
1) Prevent you from seeing later revisions of the document.
2) No longer devote (or pay for) storage to enable you to access the
3) Make it clear that I now forbid you to look at the information, but
am not preventing you from doing so.
Part of the Xanadu protection philosophy is "if you can't prevent it,
don't pretend you can; facilitate it". This way none of the users are
encouraged to form false hopes about the rules other players are
operating under. Neither are people encouraged to use the system in
pathological ways to get around road-blocks.
Revokable read permission creates such social pathologies as the
"server diving" activity that we've heard reports of from Apple:
people spending spare time looking around file servers at Apple for
programs which they can now read and making their own copies in case
they can't read them in the future.
Xanadu supports #1 by having read permission on Berts be retractable.
#2 will eventually be properly supported by agoric charging
mechanisms. Dean will figure out what approximation we will see in
first product. Dean?
Roland has made a very interesting start (which I would like us to
seriously build on after first product) on a formal language with
which players can clearly state intentions to each other. Notice that
"trade secrecy" arrangements do not rely on any mechanism to make it
more difficult for me to slip a copy to someone else. However, they
do rely on it being clear to me when I am doing so. Many social
arrangements hinge not on "what can you prevent me from doing?" but on
"have you made your intentions clear?".
Once we get this language worked out, I would like front-ends to be
cognizant of it so that it can be made clear to me as a user if some
action I am about to take would violate some agreement I have with
someone (such as reading an internal document after I no longer work
for the company). In light of our previous discussion on acknowledged
reading, note that a corporation could internally have a policy of
only using front-ends which prevented forbidden activities. This
would fit the "clarity" constraint rather well, as anyone who wanted
to engage in such activities would then have to use a front-end he'd
gotten from ComputerWare, and then he'd know he was violating company
When our competition makes false claims about what they can prevent,
they will be endangered by our $#%&* liability laws when some former
employee leaks an internal document that he should no longer have had
access to. We will probably get sued over something like this anyway,
but as we made no claims to be able to prevent something like this, we
will be in a stronger position. (We will probably lose anyway. sigh)
(Bobp, this is not an informed opinion. Am I being overly
The makers of copy machines make no claims that the ink will disappear
from copies former employees have made of internal documents.
Companies nevertheless spend lots of money making coping machines
available to their employees. Instead companies print things like
"Xanadu Proprietary" at the top of their documents.
How much of a marketing headache will explaining this be?