[cap-talk] MLS gone bad - now capabilities? (was: NCSC TCSEC) Lampson trashes POLP

Valerio Bellizzomi devbox at selnet.org
Tue Nov 21 08:06:42 CST 2006

On 17/11/2006, at 2.03, Valerio Bellizzomi devbox at selnet.org wrote:


>... Each
>user is represented in a system by programs, so I tend to think in terms
>of "programs as principals", since a system only understands code, the
>system does not knows what a user is, the fact that ACL systems give
>identity-based access is only an artifact of implementation, as I see it,
>in an object/capability system, each user is himself a capability, and
>system code only understands capabilities.

I mean:

1. The machine does not recognize persons like humans do. The machine's
*notion* of a person is merely an identification code;

2. Capabilities are the *only* permissions mechanism recognized and
enforced by the kernel;

3. The problem of identification code theft cannot be resolved only by
in-system mechanisms, but needs some other external, organizational
mechanism at the human level.

So, we must be very careful when considering the responsibility of the


More information about the cap-talk mailing list