[cap-talk] Selling capabilities programming

Jonathan S. Shapiro shap at eros-os.com
Thu Jul 19 00:57:40 EDT 2007

On Thu, 2007-07-19 at 04:26 +0100, David Hopwood wrote:
> Which goals do you assert to be conflicting?
> PS. I am interested in having a technical discussion about this subject,
>     but I'm not interested in listening to vague rants or descriptions
>     of people as having "disfunctional personalities", whatever project
>     they were involved with. I suspect that most of us here have to deal
>     with more than enough 'politics' in our paid work, to have any time
>     for it on this list.

I agree on all counts. However, before we let this go entirely, I want
to go back to an earlier statement that James made:

> Seems to me that...
> the ideal imagined capability system is getting
> further and further from being written.

James: From your early posts in this thread, you seem to feel that the
"protected" part of protected capability systems is somehow unnecessary.
My exchange with Jed has made it very clear why the protection is
necessary. My exchange with you has also done so.

What I have stated is that capability protection is a precondition to
controlling authority propagation, which is in turn a precondition to
confinement. Confinement is the only basis technology we have that lets
us run unsafe and/or hostile programs while retaining control of our

As to this being an "ideal" or "imagined" requirement, I'm sorry, but
the mathematical underpinnings of confinement are pretty unequivocal.
There are now *many* capability systems that correctly implement
protected capabilities -- it isn't that hard to do. So the only way I
can view this as an unnecessary requirement is if we conclude that user
safety is unimportant.

Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC

More information about the cap-talk mailing list