[cap-talk] the "flaw" of separating designation from authority
David Wagner
daw at cs.berkeley.edu
Thu Oct 26 15:25:58 CDT 2006
Fred Spiessens wrote:
>Yes, loosing the connection between the origin of the designation and
>the origin of the authority will result in confused deputies. When
>programming deputies, the ultimate advantage of capabilities is: that
>you don't have to keep track of this connection yourself.
>Programmers tend to keep track only of the designation (functionality-
>minded as they are), [...]
Yes, exactly! You put it extremely well.
>The flaw is not "separating designation from authority" but "losing
>track of the connection between the origin of the designation and the
>origin of the authority". The former would have indicated a flaw in
>the system, while the latter is a programming error.
Right. But as a pragmatic matter, "separating designation from
authority" tends to lead to programmers "losing track of the connection
etc.". It's not enough to have a software architecture that makes it
_possible_ (in principle) to build a secure system; I want to make
building secure systems as easy and natural as possible. I want to
maximize the chances that the system actually will be secure.
With this point of view, the confused deputy problem seems like a
pretty good argument in favor of capabilities.
More information about the cap-talk
mailing list