{"_self":{"principle":"Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.","widget":"article_topology","feature":"topology","name":"Article topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","contains":"claims, sources, anecdotes, question_graph slice","slug":"thinker-mark-miller","urls":{"read":"https://miscsubjects.com/api/articles/thinker-mark-miller/topology"},"how_to_use":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","write":null,"imessage":null,"router_tag":null,"proof_chain":[{"step":1,"claim":"Articles are voxel graphs of tiered claims, not prose blobs.","verify":"https://miscsubjects.com/api/articles/constitution"},{"step":2,"claim":"Claims link to hash-chained sources via source_ids.","verify":"https://miscsubjects.com/api/articles/thinker-mark-miller/sources"},{"step":3,"claim":"Ask reads topology; ingest/claim append to ledger.","verify":"https://miscsubjects.com/api/protocol"},{"step":4,"claim":"Models queue growth: populate → collaborate → repair → reflex.","verify":"https://miscsubjects.com/api/protocol/grow"},{"step":5,"claim":"Graph proves its own shape (reflex) and $/claim (yield).","verify":"https://miscsubjects.com/graph.html?layer=reflex"},{"step":6,"claim":"Full feature index + _explain on every API response.","verify":"https://miscsubjects.com/api/articles/system-map"}],"related_features":[{"id":"ask","name":"Ask protocol","what":"Answer only from topology; creates question_node with gaps and ingest_hint.","urls":{"read":"https://miscsubjects.com/api/articles/thinker-mark-miller/prompts","write":"https://miscsubjects.com/api/protocol/ask"}},{"id":"graph_topology","name":"Cross-article graph","what":"Merged claims/sources across condition+stack slugs for one question.","urls":{"read":"https://miscsubjects.com/api/articles/thinker-mark-miller/graph-topology?question=..."}},{"id":"question_graph","name":"Question graph","what":"Ask nodes (questions + gaps) and evidence_ingest nodes (pasted model output).","urls":{"read":"https://miscsubjects.com/api/articles/thinker-mark-miller/question-graph","write":"https://miscsubjects.com/api/protocol/ask"}},{"id":"voxels","name":"Voxel graph","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance.","urls":{"read":"https://miscsubjects.com/api/articles/thinker-mark-miller/voxels","write":"https://miscsubjects.com/api/protocol/claim"}}],"system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown","not_medical_advice":true},"_explain":{"feature":"topology","name":"Article topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","why":"Every feature is auditable collective intelligence","how":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","model":null,"verifies":null,"urls":{"read":"https://miscsubjects.com/api/articles/thinker-mark-miller/topology"},"imessage":null,"router":null,"related":[{"id":"ask","what":"Answer only from topology; creates question_node with gaps and ingest_hint."},{"id":"graph_topology","what":"Merged claims/sources across condition+stack slugs for one question."},{"id":"question_graph","what":"Ask nodes (questions + gaps) and evidence_ingest nodes (pasted model output)."},{"id":"voxels","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance."}],"not_medical_advice":true},"slug":"thinker-mark-miller","title":"Mark Miller — Capability Security and the E Language","register":"standard","tags":["oip","kimi-import","self-explaining","voxel","thinkers","thinker-mark-miller"],"updated_at":"2026-07-15T04:20:40.627Z","body_excerpt":"<!-- hierarchy:nav -->\n> **Path:** [OIP](https://miscsubjects.com/a/oip) › [Thinker Reference](https://miscsubjects.com/a/oip-thinker-reference) › [Thinkers](https://miscsubjects.com/a/oip-thinkers) › **Mark Miller — Capability Security and the E Language**\n>\n> **Shelf:** Thinkers · **Traversal:** self-explaining · hierarchical · voxel-ready\n> **Machine root:** [OIP tree](https://miscsubjects.com/api/dispatch?map=1&format=markdown) · [Registry](https://miscsubjects.com/api/dispatch?registry=1)\n\n# Mark Miller — Capability Security and the E Language\n\n## §SELF — thinker-mark-miller\n\n**What this page is:** A profile of the computer scientist who built a programming language and protocol around a single security principle: possession conveys authority.\n**What it explains:** Capability-based security, the confused deputy problem, CapTP, promise pipelining, and what OIP should take from this work.\n**Why read it:** You will understand a different way to think about security — one where authority is carried by references, not checked by permissions lists — and why this matters for systems that delegate power between autonomous agents.\n\n### What Mark Miller Did\n\nMark Miller is a computer scientist who is the most important figure in capability security after the field's founders. Capability security is an approach to computer security where the right to use a resource is granted by holding a reference to that resource. A reference is a pointer or handle that lets a program access an object or service.\n\nMiller created:\n\n- **The E programming language** (ec-lang.org): A language designed around capability security principles. Every object interaction in E follows the capability model.\n- **CapTP (Capability Transport Protocol):** A protocol for sending capabilities across a network. CapTP lets one system hand another system the authority to use an object, securely and verifiably.\n- **Promise pipelining:** A technique for sending a chain of operations across a network without waiting for each round-trip to complete.\n- **Agoric computing:** A model of computation where objects trade capabilities in a market-like system.\n\nHe co-authored the paper \"Paradigm Regained: Abstraction Mechanisms for Access Control\" with Jonathan Shapiro, which argued that capability-based access control is more fundamental and more secure than permission-based systems.\n\n### The Key Idea: Possession Conveys Authority\n\nIn a capability system, if you hold a reference to an object, you can use it. There is no separate permission check. There is no central authority that decides who can do what. Authority is decentralized: it lives in the references you hold.\n\nThis is different from the security model most systems use today. Most operating systems and applications use Access Control Lists (ACLs). An ACL is a list that says \"User A can read File B\" and \"User C cannot.\" A separate system — the operating system kernel, the database, the server — checks every request against this list.\n\nIn a capability system, there is no list. If you have the reference, you have the authority. If you do not have the reference, you cannot even name the object, so you cannot ask to use it. Security is enforced by the inability to refer to what you cannot access.\n\n### What Capability Security Got Right\n\nCapability security eliminates a class of bugs called confused deputy problems. A confused deputy is a program that has authority to perform some action, and performs it on behalf of a caller without checking whether the caller should have that authority.\n\nExample: A compiler has permission to write files in a temporary directory. A user asks the compiler to write output to a file. The user names the file `/etc/password` (a sensitive system file). The compiler, acting as a deputy for the user, overwrites the system file because it has write permission and does not check whether the user should have that permission.\n\nIn a capability system, the user would need to hand the compiler a reference (","ranking":"safety-first (interaction_risk/limitations), then quote-gated effective_weight","claims":[],"sources":[],"anecdotal_sources":[],"scientific_sources":[],"user_reports":[],"related_articles":[],"question_graph":{"slug":"thinker-mark-miller","questions":[],"evidence":[],"edges":[],"counts":{"questions":0,"evidence":0,"edges":0}},"honesty":{"active_claims":0,"retracted_claims":0,"cut_claims":0,"challenges":0,"scrub_events":0,"note":"Retracted/cut claims stay on ledger but are excluded from ask unless ?include_inactive=1"},"counts":{"claims":0,"claims_total":0,"sources":0,"anecdotal":0,"scientific":0,"user_reports":0,"questions":0,"evidence_ingests":0}}