[cap-talk] Monash as an object-cap system or not

Jed Donnelley capability at webstart.com
Thu Jan 11 12:31:34 CST 2007 

At 09:13 AM 1/11/2007, Mark S. Miller wrote:
>Jed Donnelley wrote:
>...
> > For me these are engineering tradeoffs, not a qualitative
> > concern about functionality.  Are such engineering tradeoffs
> > something we want to base a relatively low level distinction
> > in an ABAC taxonomy on?
>
>What do you mean by "low level"?

                                         ABAC (capability) systems:

Object-capability systems                       Others

Language,  OS                                   Language, OS, network
E,        KeyKOS, EROS, Coyotos, etc.   ?         Monash, YURLs, etc.

     /           /         |              \          \ 
                    /         |         \

Even flipping the ordering of the taxonomy (e.g. consider the first 
division to be
language, OS, and network) in my mind doesn't really help to avoid the
sense of a negative label ("object" vs. not) with a high degree of 
bogosity IMO.

In what sense are the systems that don't depend on cryptography any
more "objective"?  Perhaps there is another label that would be more
appropriate?  For example, pointer or descriptor?  I argue that the
separation we're considering (dependence or not on the inability to
guess) is an implementation level distinction, not a functional distinction.

> > I know MarkM said he doesn't want to consider "object capability"
> > "good" and more general capability mechanisms (e.g. those which
> > depend on crypto) "bad", but doesn't the classification come off
> > that way if the distinction is that the one is 'safe' from
> > guessing (not really of course) and the other is 'vulnerable'
> > to guessing?
>
>I also don't want to lose the distinction between Aleph 1 and 2**Aleph null.
>The distinction is actually there, so we should acknowledge it.

Huh?  Isn't the above distinction equivalent to the negation of the Continuum
Hypothesis?  Last I heard the Continuum Hypothesis had been shown to
be independent of the other axioms of set theory.  In that sense the above
distinction is pretty fine.  Is that what you meant?

In this case I believe we're talking about the distinction between a very
small number and zero - though in fact in practical terms the small number
(risk) is there in any system for a variety of reasons (user level 
authentication,
hardware failure, etc., etc.).

>We should just  be careful to present it in such a way as not to imply value
>judgments that we believe to be bogus.

That's the primary issue that I'm trying to address in arguing against the
"object" label for this class of capability systems.  I see them in no sense
as more "objective" than systems based on cryptography.  Implying so seems
to me to suggest a "bogus" level of deprecation.

--Jed http://www.webstart.com/jed/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20070111/bf3d6f09/attachment.html

More information about the cap-talk mailing list