[cap-talk] Architectural Choices for Security: terminology

David Hopwood david.hopwood at industrial-designers.co.uk
Sun Nov 18 22:52:12 EST 2007

Jed Donnelley wrote:
> It seems to me that another distinction that is rolling around
> in here is the ability or non ability to delegate.  For me that
> is the fundamental aspect of a "capability" system.

Nope. Non-capability systems that support impersonation (e.g.
Windows NT) provide the ability to delegate. They do so in an
extremely dangerous and error-prone way -- so much so that it is
probably not a good idea to ever use this mechanism -- but they
do provide it. Even Unix 'setuid/setgid' provide some ability to

In an IBAC system, whether a request succeeds is dependent on the
requesting subject. That holds regardless of differences between
systems as to which properties of a subject are tested.

In a cap system, whether a given request succeeds it is not dependent
on the requesting subject at all. Different subjects are distinguished
by being able to send different messages, and it is only the message
contents that determine what happens.

David Hopwood

More information about the cap-talk mailing list