[cap-talk] Re: "capabilities" as data vs. as descriptors -
tense of capability work
Jed Donnelley
jed at nersc.gov
Mon May 3 23:18:00 EDT 2004
At 10:44 AM 5/3/2004, Karp, Alan wrote:
>Jed Donnelley wrote:
> >
> > With that model the representation of a capability is unique to
> > the process that holds it. Capabilities are transformed whenever
> > they are communicated. Even if a capabilities representation in
> > a processes memory space is "leaked" (e.g. viewed in a dump)
> > such a representation is useless outside that process. Similarly,
> > by cryptographic means, nearly any modification to a capabilities
> > representation will render it invalid (though we did work some on
> > the ability for a process to essentially "sign" a rights reduction
> > for a capability to avoid the cost of having to send it back to the
> > server to have its, let's say, access rights restricted - e.g. to
> > make turn an RW file capability into R-only).
> >
>
>I believe that "capability designators" have this property if the
>designator is interpreted for the specific process. That's what we did
>with e-speak Beta 2.2 (henceforth denoted by the name of our prototype,
>Client Utility or CU). The e-espeak product used SPKI attribute
>certificates as capabilities. Each was tied to a specific private key, so
>it was non-transferable. It could be delegated, though, if the
>Do-Not-Delegate bit wasn't set.
Arg! Actually I sympathize. I assume that in the case where a process had
a capability with the "Do-Not-Delegate" bit set it would be forced to proxy
such delegation if it still wished to "delegate"? There is where our
"inalienable right" to communicate rights came in. We didn't believe in
forcing people (programs) to proxy just to share a right that they had.
>The delegation could be for a subset of the rights. CU could not do this
>kind of restriction. Hence, we tended to have separate capabilities for
>each right.
One thing I'd like to get cleared up is the tense of this discussion. You
refer to e-speak Beta 2.2 in the past tense. My work on the NLTSS system
is certainly in the past tense. I'm not sure about KeyKOS these days, but
certainly most of that work was past tense. As I understand EROS it is an
active project, though seemingly mostly a research project? What is the
activity of the work being done at HP? Can somebody point me to any sort
of historical thread from the HP work, the CapDesk stuff, etc.
--Jed http://www.nersc.gov/~jed/
More information about the cap-talk
mailing list