On Mon, 10 Mar 2003, Guido van Rossum wrote:
By the way -- to avoid confusion between "proxies used to wrap unrestricted objects in order to make them into secure objects" and "proxies used to reduce the interface of an existing secure object", let's call the first "proxy" (as has been used in the "rexec vs. proxy" discussion so far), and call the second a "facet" (which is the term commonly used when capabilities people talk about reducing an interface).
Hm, I'm not sure I understand the difference between the two definitions you give. What does "making something into a secure object" mean if not "reducing its interface"? And what is the fundamental difference between a secure object and an insecure one? In my world view there's a gradual difference.
I acknowledge that it's not perfectly black and white, but what i meant in the above is that a "secure object" is one that exposes only its declared interface.
The key difference i'm getting at is whether the interface is the one intended by the programmer. Proxies are for ensuring that the interface doesn't leak things the programmer never intended; facets are for the programmer to intentionally reduce the interface of an already secure object to limit its powers.
Er, perhaps another way of saying it is that proxies are at the system level and facets are at the user level.