[cap-talk] A better reference for the "capabilities propagate too easily" argument

Jonathan S. Shapiro shap at eros-os.com
Wed Aug 1 11:21:20 EDT 2007

On Wed, 2007-08-01 at 07:47 -0700, Mark Miller wrote:
> I agree with David, but beyond that, I think its simply that the
> computational paradigms that have come to dominate language work are
> * lambda-calculus
> * lambda-calculus with local side effects
> * taking naming & scoping rules seriously, e.g., lexical scoping
> * object oriented programming
> * abstraction mechanisms
> * design patterns
> In other words, they had already arrived at capabilities in all ways
> except for security.

I think it is much simpler than this. The world model of programmers
typically does not assume that programs are internally self-hostile.
Modularity is done for manageability and engineerability, not for
defensibility. In consequence, a purely discretionary,
designation=authority model is a perfect fit, and neither mandatory
control issues, confused deputy issues, nor revocation issues are
relevant problems.


More information about the cap-talk mailing list