[cap-talk] Java coding rules for capability discipline (statics)

[David Wagner]

Ian Grigg writes:
>Which brings up a thought.  Why don't we simply model
>the statics as an implied capability that is shared
>across all members of a class?

Because part of the idea of capability-secure programming is to avoid all
forms of implied capabilities.  ("No ambient authority.")  Privileges
that are implicit and globally usable are dangerous, and hence should
be avoided.  If the programmer wants to make this privilege globally
usable, they should have to take some explicit action to indicate that
they know what they are doing, understand its security consequences,
and intend those security consequences.  Think of this as trying for a
form of "informed consent".  In practice, we don't know how to achieve
full "informed consent", but if we can form rules that tend to steer
programmers in the right direction, we're improving our odds.