[cap-talk] Understanding capabilities in a web-desktop setting
krstic at solarsail.hcs.harvard.edu
Tue Aug 5 14:58:25 CDT 2008
On Aug 5, 2008, at 4:54 AM, tsr wrote:
> Now to what I think is m question how do I implement this in a
> capabilities kind of way?
Let me turn this question back towards you: what problem do you have
with a traditional ACL-based authorization model that you think (or
hope, or wish) capabilities will solve for you in your system?
You appear to be saying "I've heard about capabilities, they sound
interesting, I want to use them for my system. Now, what are they and
how do I implement them?" Needless to say, this is a horrifically
backwards way to approach any kind of engineering, software or
otherwise, akin to saying "I've heard about Rolls Royce jumbo-jet
engines, they sound interesting, I want to use them for my bicycle.
Now, what are these jumbo-jet engines and how do I wire them to my
An enumeration of the problems you're trying to solve and the security
properties you wish your system to have should be your first step. The
next should be finding the simplest solution which delivers those
properties. Capabilities may be that solution, though they most often
aren't due to cumulative complexities of production systems.
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> | http://radian.org
More information about the cap-talk