[cap-talk] Selling capabilities programming

James A. Donald jamesd at echeque.com
Sat Jul 21 19:13:03 EDT 2007 

David Hopwood wrote:
 > The requirement (not justification) is to know all
 > capabilities *initially* held by *confined* domains or
 > entities. At no point, AFAIK, has it been suggested by
 > anyone on this list that either all domains must be
 > confined, or that all capabilities held by unconfined
 > domains must be known.
 >
 > Nor, as far as I can tell, is anyone arguing that
 > capability systems necessarily *must* support
 > confinement.

My original claim was that capabilities *may* be
represented by a sparsely populated address space, that
is to say, secrets.  I was told I was wrong - told I was
wrong repeatedly, vehemently, at excessive length, and
an aggressively repetitious manner, told that I was
ignorant to say this, and offensive to keep on saying
it.

This dispute began when I originally wrote:
: :	A capability in this sense is a communicable
: :	permission to access a computer resource,
: :	typically a very fine grained permission, for
: :	example permission to access a particular
: :	file in a particular way.  At the
: :	implementation level, the permission may be
: :	implemented as a value in a sparsely
: :	populated address space that enables access
: :	to an event queue through a filter, and one
: :	program with such access can give another
: :	program access, possibly through an added
: :	filter, with additional constraints, such as
: :	reduced time to live.

If capabilities and domains do not necessarily need to
be "confined", if  no one on this list has suggested
"that either all domains must be confined, or that all
capabilities held by unconfined domains must be known"
etc, then they *may* be implemented as a value in a
sparsely populated address space, capabilities *may* be
implemented as data, then "protection" of capabilities
is merely an implementation detail, then my original
position was correct, as was the position I have been
arguing for since.

It looks to me that people on this list *were* saying
that it was essential that all capabilities be confined,
that all domains protected, but have subsequently
moderated their position considerably - from it being
essential to any real capabilities system to it merely
being a characteristic that is desirable to implement
where the costs of implementing it are not too high.

More information about the cap-talk mailing list