Comments: Definition of Capabilities

The debate has way more content and quality than I can manage, and all I'm trying to do is tie down the definition of the capability. Here's some additional gems I have extracted:

1. Principle of Least Authority (POLA) is the underlying principle of design that points to capabilities [shap]. POLA is a principle, not a requirement, and capabilities is one way of designing according to POLA. Others are possible, and on first blush, SOX/nyms would also fit.

2. "The real magic of capabilities only arises with the addition of messaging between protection domains. Protected memory segments are just the primordial goo from which capability-based security emerged. [Tyler]" This seems to indicate that caps only make sense when dealing with administrative domains - the ability to move caps from one place to another where the two places aren't owned or managed under the same set of interests.

3. Capabilities and their representations are different. Capabilities may be passed from person to person, but their representations should be of a non-secret form [Alan]. That is, if Alice sees Bob's cap1 she doesn't acquire it.

The question here is ... why is an over-shoulder attack considered a serious threat?

4. There's a serious amount of confusion (in my mind at least) as to whether "confinement" is an underlying and foundational requirement, or just a concept that is equally seivelike in reality. Confinement seems to mean that within a domain, nothing leaks out except by expected and authorised channels. OK, is that it? That's what we've got now - nothing leaks out, except it's buggy and stuff leaks out. Or something.

5. "Right to communicate your capability" seems to exist [Jed]. This makes sense, as once you have a cap, you can proxy its use. Yet it flies in the face of confinement. So far, no end to the contradiction.

6. Audits have been suggested [David] - which opens up a new line of investigation (FC layers 4,5) that may put more flesh on the skeleton.

7. Is there a difference between OO objects and capabilities? It's a definate maybe, so far. See zooko's response on this issue, and David's remarks.

Posted by Iang at May 11, 2004 10:54 AM
MT::App::Comments=HASH(0x55f0ef5388c8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/ line 125.