[cap-talk] A question on capabilities

David Wagner daw at cs.berkeley.edu
Mon Jun 12 21:48:28 EDT 2006 

Ben Laurie writes:
>Isn't this exactly what e-speak was all about? In this case, the
>capability would be linked to Alice, so she'd have to prove ownership
>of her private key in order to exercise it. Of course, Alice could
>leak her private key, too, though that seems less likely since you
>never have to send it over the wire.

I don't know; I'm not familiar with e-speak.

Doesn't this harm expressivity?  Wouldn't this make it harder for Alice
to rely on services provided by others?  If Alice the human user wants
to launch her word processor by clicking on a file, then that will work
if the file is local, but won't work if the file is stored on a remote
fileserver (unless some kind of proxy is automatically created -- but
if you automatically create proxies, aren't you back to the potential
to leak capabilities).  This seems weird and counterintuitive.

Did e-speak do this at the granularity of "human users" ("principals"),
or of individual objects (e.g., each Java object has its own public key)?

If this is done at the code level, doesn't it get in the way of
abstraction, because now the system administrator has to know about every
detail of Alice's construction?  It seems like Alice would frequently
want to invoke some other service (Bob, say) to perform some operation
on her data, and if she had to ask the sysadmin for permission every
time she did that, that would make it really hard to get any kind of
programming done.  Every time Alice wants to invoke a method on another
object and pass an authority-bearing reference, she has to get advance
approval from the sysadmin.  For instance, if the object Alice has an
array of integers and wants to call some utility library to sort the
array of integers (i.e., invoke a method on another object and pass
the array reference as a parameter to the method), then she can't do so
unless the sysadmin has approved that in advance.

I suspect there's probably a difference between (a) people unintentionally
comamnding the system to do something that will cause their capability
to be leaked, and (b) code inadvertently containing a bug that causes
a capability to be leaked.  Different kinds of solutions might be
appropriate for these two different problems.  I can imagine something
e-speak like might be plausible for problem (a), but I don't see how it
could work for problem (b).

More information about the cap-talk mailing list