[cap-talk] Selling capabilities programming
David Wagner
daw at cs.berkeley.edu
Wed Jul 25 22:19:08 EDT 2007
James Donald writes:
>The example case where capabilities are compellingly
>useful is the case of a powerbox granting file access to
>a particular file - and such a capability should be
>inherently transient - indeed it should not be possible
>for a powerbox to create and issue durable capabilities
>- there should be no general mechanism available to
>represent a communicable permission that is not
>transient.
I think you mean "an example case where capabilities are useful",
instead of "the example case". The powerbox is not the only such case.
I agree that powerboxes should grant transient capabilities. I do not
agree that it follows that object capability systems must never admit
even the possibility of a durable capability. That doesn't follow.
Another possibility is to construct the powerbox implementation so it
will only return transient capabilities. That seems like a perfectly
reasonable approach to me.
More information about the cap-talk
mailing list