[cap-talk] Selling capabilities programming

James A. Donald jamesd at echeque.com
Sun Jul 29 21:05:55 EDT 2007 

Karp, Alan H wrote:
 > > > I want to second Jonathan's remark about the
 > > > effect such assumptions by the designer might have
 > > > and add that it adds a security burden to the
 > > > user.  I often have several PDFs open at the same
 > > > time.  Acrobat Reader reuses a running instance
 > > > when you open a new document.  Hence, relying on
 > > > the process lifetime for security properties
 > > > requires users to understand details of the
 > > > implementation.

James A. Donald:
 >> No it does not.  Adobe acrobat does not keep files
 >> open indefinitely, should not keep capabilities
 >> around indefinitely.  A capability, like a file
 >> handle, should normally be closed by a program.   But
 >> if the program crashes, or just never closes the
 >> file, file handle gets closed eventually anyway.

Karp, Alan H:
 > Yes, but that's not the problem I'm talking about.  As
 > I understand your proposal, users need to understand
 > that the unit of protection is the lifetime of the
 > running process so that they can close one instance
 > before opening another having a different level of
 > trust.

That is not how I understand my proposal.  Users should
never think about trust, and are unlikely to think about
trust while doing their work because they are focused on
the task at hand.  They won't think about trust, and if
they need to think about trust, the system is insecure.

End users and system administrators should never do, or
even think about, most of the stuff that people in this
list seem to talk about them doing.  If they have to
think about it, it is a security failure.

My proposal is aimed at ensuring they do not have to
think about trust, and if they do think about it, their
user interface is not cluttered up by giving them any
readily accessible means to do anything about it.

If you give the user the means to create a durable
capability he will use it.  If you make it so he *needs*
to create durable capabilities, he will automatically
make lots and lots of durable capabilities, and make
them available to everything.

More information about the cap-talk mailing list