If only we could have a model that users are already familiar with - with always using urls of least capability everywhere, but transforming actions to write caps with a traditional username and password model/cookie
On Sunday, March 14, 2010, Zooko O'Whielacronx <[email protected]> wrote: > Argh, when throwing out a quick note just before going to bed it is > all too easy to contribute more confusion than clarity. > > I wrote: > > On Sat, Mar 13, 2010 at 9:32 PM, Zooko O'Whielacronx <[email protected]> wrote: >> >> No! This is a widespread myth. The problem is fundamental to a *sharing* >> system. A capability system that makes sharing very hard would not have this >> problem, and a non-capability system that makes sharing very easy would have >> this problem. > > You may now be wondering if it is possible to have a capability system > that makes sharing very hard. (Or if it is possible to have a > non-capability system that makes sharing very easy.) I think wondering > too much about that leads to a semantic rathole—when is a capability > system not a capability system? (c.f. allmydata.com's user interface) > > What I should have said is just this: > > No! This is a widespread myth. The problem is fundamental to a > *sharing* system. The system Toby was using offers a very convenient > gesture to share write access, which is identical (except for context) > with the very convenient gesture to share read access. By the way I > have made this exact same mistake three times now (with my blog). We > can make it easier to avoid this mistake by making it less convenient > to share write access, or by making write-access-sharing and > read-access-sharing gestures different, or by making the > write-access-sharing-contexts and read-access-sharing-contexts more > recognizably different. The first two times that I made this mistake > on my blog I then added one of these improvements to my blog software. > You can see the current results here: > > http://testgrid.allmydata.org:3567/uri/URI%3ADIR2%3Alq5unk3sdmwqckzey573b35paa%3Azshb54dvy4jmpdxjlptn6ttm4m7awi7xf7hqtwmvjriy6ryeb7ya/wiki.html > > (Explore that UI and see how write-access-context and > read-access-context differ.) > > My point is that we have this problem not because we used the > capability access control model, but because we made sharing maximally > easy in the first version of the user interface, and now we need to > figure out how to make sharing less easy, or more context dependent, > or something. > > I do hope that with the new crop of Tahoe-LAFS front-ends, such as > Toby's, we will explore the UX design space and find good > improvements! > > Regards, > > Zooko > _______________________________________________ > tahoe-dev mailing list > [email protected] > http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev > _______________________________________________ tahoe-dev mailing list [email protected] http://allmydata.org/cgi-bin/mailman/listinfo/tahoe-dev
