[cap-talk] Selling capabilities programming

[James A. Donald]

Jonathan S. Shapiro wrote:
 > James: From your early posts in this thread, you seem
 > to feel that the "protected" part of protected
 > capability systems is somehow unnecessary. My exchange
 > with Jed has made it very clear why the protection is
 > necessary.

I was not only unconvinced by your exposition, but was
also convinced that any attempt to discuss the matter
will be fruitless.

 > What I have stated is that capability protection is a
 > precondition to controlling authority propagation,
 > which is in turn a precondition to confinement.

Controlling authority propagation is not a precondition
to confinement.   Most communicable authorities should
be small and their duration session limited. If small
and session limited, controlling their propagation
provides limited benefits.

Like most things, protected capabilities are useful for
some purposes, and inconvenient for others, and the
appropriate method can only be ascertained in the light
of the concrete particulars of the situation.  It is
easy to imagine situations where such protection would
involve excessive implementation costs, administrative
costs, round trip costs, process synchronization costs,
public key overheads, or loss of privacy. If you want to
control their propagation, and your aunt Vera is system
administrator of her home network, then aunt Vera has to
control their propagation, which may well be a problem,
particularly when little Johnny is on aunt Vera's
network.

There are some dangerously substantial and durable
authorities that one does not want ever to be
communicated.  Making them communicable authorities, and
then forbidding the communication of these authorities
but not others, seems a perversely complex way of
dealing with that problem.