I have recently been fascinated by Goblins, of Spritely fame. It is, at present, a library in Guile and Rackets which provides a model of programming for peer-to-peer applications that makes permissions a kind of first-class object. In this essay I try to explain what that means, but I’ll admit I’ve had some trouble with it so far. It’s just… alien. It seems like a different order of sorcery than the likes to which I have grown stubbornly accustom. What it makes easy should be a decade of work. The principle of least authority – an asymptote! – made as practical as a parameter.
Goblins articulates a security paradigm of object capabilities which I find to be an apt name. In this paradigm, you construct objects that have capabilities, which are functions. If someone in the network can access a function in an object on your machine, it is only because you gave them permission. If a function runs, it is because it is authorized to do so.
That is the model Goblins hands down, not one of peers or users or identities, but of capabilities. You write object capabilities as stateless functions, and can call upon those capabilities that you can access. Applications can gather such capability-functions to create complex communal systems built upon consent. If a function runs, it is because it is authorized to do so.