[cap-talk] Capability-based Projects - theory vs. practice

[Mark Miller]

> I suspect so, but more importantly: Mach uses principal-based access
> control, because ports do not survive system restart. Chorus likewise.

If I recall correctly, likewise Spring. Capabilities were ephemeral
caches of ACL-based security decisions. All protection state which
survived restart was only in the ACLs.

Correct caching of mutable state generally requires some kind of cache
invalidation logic. Spring caps as caches had no such invalidation
logic. An issued descriptor remained valid even after access in the
ACL was revoked. Their security thus relied on having a short MTBF.

-- 
Text by me above is hereby placed in the public domain

    Cheers,
    --MarkM