[cap-talk] Don't understand capabilities

[Marcus Brinkmann]

At Wed, 25 Oct 2006 11:19:38 -0700,
Jed at Webstart <donnelley1 at webstart.com> wrote:
> If we haven't adequately conveyed that message so that somebody can 
> do "much reading" on the capability concept and still not understand 
> it then I think something is seriously wrong with "our" message.

Mmmh.  I have a gut feeling here.  Capabilities may be difficult to
understand because they are not "natural", in the sense that they are
not a concept that comes out of human experience.

Technology that is easy to use and understand draws from analogies to
the real world, or more specifically, the human nature.  Take for
example www.freenigma.org, which is a hack to add OpenPGP encryption
to email web services like gmail, yahoo and hotmail.  Their design is
purposefully user-friendly: All details of the public key mechanisms
are hidden, including the web of trust.  Instead, the site operates on
the basis of social networking idioms like "invitations" and
"friends", which are incredibly successful in other web applications
as well.  I should say that freenigma is not as secure as if you use
OpenPGP directly according to its intention (in fact, there are quite
major differences), but that is not the point: The point is that
freenigma provides an interface that people can be comfortable with
and understand, while OpenPGP is difficult.

I think that ACLs and ambient authority works closer to the real world
than capabilities do.  Say I want to set a book on fire.  The ability
to set fire on a book is part of myself, but this ability includes to
burn any book out there, not just a couple.  The question which book I
am allowed to burn depends on which books I own.  But ownership is a
bidirectional property.  We say: "Marcus owns this book." as well as
"This book is owned by Marcus."  In fact, some people write their
names into their books so that people can identify the owner.

Of course, this is not the whole story.  If my book is locked away in
a safe, to which I do not have a key, I can't burn it.  However, I can
still name it, and the book still "names me" as the owner.  In fact, I
can name other people's book just as well as my own.  If I sell a book
I own, ownership is transfered, but my ability to name it is kept
intact.  This is essential for example to settle disputes.

It seems to me that in the real world, designation and authority are,
in fact, separated.

Capabilities are then an artificial simplification (or idealization if
you prefer).  Useful to technicians who are otherwise overwhelmed by
the complexity of the tasks at hand, but not easily understood
conceptually and applied to real-world situations.

I would be careful then to dismiss the Unix paradigms as totally
broken.  We know about the technical difficulties in making them work
correctly, according to a certain definition of correct.  But they
seem to come straight out of the realm of human experience (nevermind
the confusing details of their actual implementation, which are
well-known).

This does not mean per se that capabilities are inadequate as a
primitive mechanism to build higher-level systems that are more
intuitive.  A lot of work has been done to reconstruct such
higher-level systems and their policies.  But it does mean that there
is a barrier to understanding and adopting capabilities.

Thanks,
Marcus