[cap-talk] Capability begginer questions

[Kevin Reid]

On Oct 3, 2007, at 10:15, Matheus Morais wrote:
> Yes your assumption are correct, I'm wanted to create a protected  
> capabilitie environment. Well, now I'm a bit lost, the key is the  
> identifier to point for an object which has that capabilitie or for  
> what _action_ that capabilitie could provide to the object? I was  
> thinking in that manner, the key is used to identify what object  
> that capabilitie is assigned to and the r_list will provide what  
> permissions are given by that capabilitie.

The capability data structure must contain information to specify (in  
the understanding of the capability-system-kernel) what should happen  
when that particular capability is invoked. That is the necessary and  
sufficient information.

> For example, when a program P call to write in a file F, the system  
> will check in P's capability list if the key pointed to F exists  
> and then look what actions(r_list) will be available to P over F.

This is not a capability system; it implements ambient authority, and  
has the Confused Deputy problem.

To be a capability system, the program *MUST* be required to specify  
*which capability* it wishes to invoke, and there must not be any  
*separate* way of specifying which file it wishes to write.

As soon as you search a capability list for a matching authority, you  
have created a confused deputy: a program may accidentally use a  
capability it has for the wrong purpose.

-- 
Kevin Reid                            <http://homepage.mac.com/kpreid/>