Capability development principles (was Re: [cap-talk] YURLs. What is the model of development?)

Sat Nov 26 03:16:01 EST 2005

Yes, that would be a better description of the problem I posed, although
I'd amend "leaked" to "unintentionally leaked". Authentication is simply
 a means to achieving that end.

I have no problem with users intentionally passing capabilities since
they can be made accountable for any abuses. I'd simply like to ensure
that a user *knows* when he is passing a capability. If a user is
utilizing a third-party computer (internet cafe?), browser history makes
capability-based web applications useless because it would leak all of
his authority *unintentionally*.

> That question makes me worry that the
> model of YURLs is at odds with the mental model that users have, and
> wonder whether capabilities are really the right solution for human
> consumption.

I think there are only a few corner cases that would surprise users
(like the one I proposed).

> It feels like tacking mutual authentication onto YURLs
> can't be the right solution (as I think you were suggesting), because
> it seems to defeat the whole point of capabilities (why bother with a
> capability model in the first place if you're going to add mutual
> authentication anyway?).

Capability designs have other advantages which make them attractive.

Was I premature in concluding that dynamically constructed,
session-limited facades will adequately solve the problem? I'm certainly
open to other possibilities; session-limited authority is a fairly
common pattern in web applications though.

Sandro
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDiBnBp+tmQHySTM0RAs9/AJ9iQrJ15Qh7q/OCNtP4lGrTnk2wbgCfTRgR
KLViaUsUtSMNg8CjWldWtXA=
=peuh
-----END PGP SIGNATURE-----