[cap-talk] Horton at HotSec '07: How broadly object/capability?
James A. Donald
jamesd at echeque.com
Mon Jul 9 17:27:05 EDT 2007
Jed Donnelley wrote:
> to me just screams that there is something seriously
> broken in this system. What I believe is broken is
> the "ambient authority" (user) model of access
> control. I simply don't see a viable alternative to
> capabilities to fix this problem.
>
> Let's please hear alternative suggestions - even as
> devil's advocates.
On past experience, when you say "let's hear" you do not
in fact want to hear alternative suggestions, and upon
them being presented, will deny that any alternative was
presented, and proceed to demonize the person presenting
them and misrepresent the proposal presented if he
persists.
The obvious alternative to capabilities is to protect
programs running under a single user from each other in
the same way that unix protected users running under a
single operating system from each other, and any
practical solution must necessarily have some
substantial element of this. Indeed, in order to
implement capabilities in the real world, where people
can and should write C++ programs with extensive access
to the net, to the user, and to system resources, we
have to first implement this solution before we can
implement capabilities.
And I am not going to present any more detail than that,
since on past experience, if I were to do so, anything I
said would be distorted to make the proposal ridiculous
and unworkable, accompanied by attacks upon my
character.
I have adjusted my filters to automatically delete all
further posts under this subject heading. I do not
intend to continue this conversation, for I expect the
response to be insults and lies.
More information about the cap-talk
mailing list