[cap-talk] Don't understand capabilities
Jed at Webstart
donnelley1 at webstart.com
Wed Oct 25 13:19:38 CDT 2006
I consider this:
At 01:56 AM 10/25/2006, lists at notatla.org.uk wrote:
>...After much reading on capabilities I still don't think I
>understand them but
quite embarrassing. How can this be?
Correct me if I overstate this case, but:
All capabilities are is communicable references to objects that
convey both designation (identify the object) and permission (grant
some sort of access to the object).
The key to understanding capability based systems is to be able to
clear your thinking of any sort of identity based authorization and
assume that executing programs run with no authority to do anything
(beyond executing ordinary instructions within their memory space
that require no privileges) EXCEPT what they might receive in the
form of these "capability" tokens.
The only available operation on a capability is that of "invoking"
the capability. In doing so parameters can be passed to the servicer
of the capability including simple data and in general other
capabilities (which may or may not themselves be simple data...) and
data and possibly other capabilities can be returned. Executing
programs can be initialized with some number of capabilities and then
can interact through their available capabilities to send and/or
receive capabilities from others.
That's it. In discussing capabilities many people find the
Granovetter diagram:
http://www.erights.org/elib/capability/ode/overview.html
useful to help clarify what's going on. But what's going on is VERY simple.
If we haven't adequately conveyed that message so that somebody can
do "much reading" on the capability concept and still not understand
it then I think something is seriously wrong with "our" message. I
admit that many of the references I look at describing the capability
concept seem to me to spend more time separating some specific aspect
of a capability implementation (axe to grind) than on conveying the
general concept.
Since Wikipedia seems to be a good source of shared wisdom these
days, perhaps we should ask, What is wrong with the description in:
http://en.wikipedia.org/wiki/Capability-based_security
Getting this right seems to me vital to our effort/focus on this
list. Perhaps we should discuss tuning up that page?
Possibly pursuing Fred's thread will help to hone the capability
message? I'll spend some time there.
Incidentally - good stuff. I like it when the discussion gets a bit
more fundamental and hopefully things get cleaned up some.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list