[cap-talk] Capabilities in Livermore and OS frustration
Jed at Webstart
donnelley1 at webstart.com
Wed May 11 13:30:13 EDT 2005
At 07:57 PM 5/6/2005, Charles Landau wrote:
>>I'll have to admit that it was somewhat discouraging for me to write up
>>Perhaps it showed through. What frustrates me most is that I see and
>>feel to my core
>>the value for computing/humans in general of POLA and the natural way
>>whatever one might call manipulable/communicable authority tokens) can
>>that value. Yet despite that, I don't see how I could have done anything
>>then nor do I see what I can do now to get that value into the main stream.
>I too have realized that it isn't easy. I'm working on CapROS (formerly
>EROS) because the only model I have seen for getting a new operating
>system adopted is to write it all from scratch and make it free. In 1984
>Richard Stallman began doing that, and 21 years later, Gnu/Linux is
>getting serious attention.
Good luck with the above Charlie. I hope your're around to see some payoff
(in other words, live long and prosper!)!
One thing I will note, however, is that Gnu/Linux was able to start getting
serious attention only
because it supported the base Unix API. No doubt you are aware of
Stallman's writing on this
topic. How do you imagine getting a significant set of widely valued
applications running on
CapROS? Do you intend to supply some sort of compatibility library? If
so, how do you believe
the underlying capability flexibility (specifically POLA) will show through
any such library?
That is the fundamental difficulty that I see. I'd be interested to hear
any idea that you or others
may have for surmounting that (to me) apparent obstacle.
At 05:15 AM 5/7/2005, Michael Berg wrote:
>E.g. even though I know this is not a pure capability system and they're
>lacking quite some things which are considered on these kinds of mailing
>lists as very (or most) important (as POLA), the people from Symbian
>(www.symbian.com) have moved towards a capability mechanisms to secure
>their mobile operating system. (in Symbian OS v9 - see for instance
I found some interesting reading in the above. I will note that to me POLA
the whole game with regard to "capabilities". That is, I don't much care
what you call
the tokens of authorization or even to some extent how they are manipulated
of course they require enough flexibility to make them practical), but they
support POLA to be relevant in any sense - IMHO.
Here is where the discussion of Symbian starts to concern me and to me seems
to be deviating for any workable "capability" scheme:
"Code that needs to access capability-protected functionality must go through
the process of authorisation, in order to gain the privilege of using a
Once this has been successfully completed, the code is considered authorised
for that capability. Authorising a capability effectively confirms that the
trustworthy enough to use the functionality protected by that capability."
If you read on you see that what they mean by "authorization" is essentially
human user authorization. That is, asking the human user for the authority to
exercise a "capability":
"...but where authorisation may be performed by the user..."
In my opinion this approach is so unworkable as to be hardly recognizable
sense as a "capability" mechanism. The essence of any "capability"
mechanism is (IMHO)
that it allow IPC communication of authority tokens. This is not true of
mechanism in Symian.
Of course you could argue that even the use of the term "capability" and
notion of managing authorities is a step in the right direction. I don't
agree with that
position. If the direction you step in is into a swamp (as I see such
authorized "capabilities") then you can very well be making the situation
at the same time confusing things (including the terminology) for others.
I believe the base problem that we have is that the IT culture is not aware
is not taught POLA and communicable authorities as base values that include
common terminology, interfaces, implementation approaches etc. Until we get
there I believe mechanisms like that in Symbian calling themselves
(Linux "capabilities" is another example) will continue to crop up and
As I've mentioned before I do see some hope that beginning to share authorities
across the Internet with something like YURLs may make the value of such POLA
sharing clear and that it may ultimately percolate down to the OS
I haven't seen any suggestion that anything POLA is developing at the OS
level in any
effective (capable of spreading) way.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cap-talk