[cap-talk] What are caps good for?
ben at algroup.co.uk
Mon May 10 05:34:41 EDT 2004
zooko at zooko.com wrote:
> Ever since I saw Marc Stiegler's demo of CapDesk at the O'Reilly Emerging
> Technologies Conference in 2002 , I stopped being excited about
> capabilities. Instead, I became excited about *whatever technology* could be
> used to implement the functionality that MarcS demoed. If some ACL-based
> technology could do that, then I would be excited about it. If it turns out
> that no real capability system can enforce various kinds of confinement ,
> but that it can still implement MarcS's demo, then I'm still excited about it.
> In that demo, MarcS downloaded a text-editor caplet from "texteditors-R-us.ru",
> and used it to edit a precious file, by clicking "File -> Open" and specifying
> which file to load. After changing some of the contents of the file, he
> clicked "File -> Save As" and specified the filename under which to save it.
> The text-editor caplet was prevented by CapDesk from reading any files other
> than the one that the user specified in "File -> Open", and it was prevented
> from writing to any files other than the one that the user specified in "File
> -> Save As". All of this is possible without Lampson confinement [*].
This is my favourite example of why capabilities are cool, and the
uninitiated love it. However, whenever I mention it to someone that
needs persuading to support capabilities (rather than someone who might
be a user of them), they say "yeah, heard that before, tell me something
new", as if this were unimportant. I find that very depressing.
> Now MarcS also demoed something that isn't possible without some confinement,
> specifically that CapDesk prevented the caplet from leaking the contents of the
> file out to the authors of the caplet. This might not be possible in practice
> (or it might),
Only in a fantastically restricted subset of applications.
However, it did recently occur to me that a non-networked component of a
notary might be restrictable in this way (i.e. the part with the private
key that does the signing). If the data were sent encrypted, then this
would actually be useful. One slight snag is that you could prevent the
leak by just sending a hash in the first place, but I guess we can
probably think of a use case for this version.
> but in any case the demo is compelling to me even without that
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
More information about the cap-talk