[cap-talk] Understanding capabilities in a web-desktop setting

Fri Aug 8 09:56:13 CDT 2008

On Tue, 2008-08-05 at 10:41 +0100, Toby Murray wrote:

> In a web-based capability system, URLs take on the role of "names". To
> make them unforgeable, these URLs contain a large random string. Then
> entities can access a resource/object if and only if they have a
> (non-guessable) URL that refers to that resource/object.

I take it you mean that other pieces of software can't guess the URL?

If an capability URL has a large random string in there, you'll never
get users to use capability systems; I know I wouldn't want to try and
type in one of these URL's, or am I missing something?

> For example, when you double-click on a text-file file to open it in a
> text editor in CapDesk, the text editor is given the authority only to
> read that one file, and nothing else! Any vulnerabilities in the text
> editor do not make the rest of the system vulnerable!

What if I wanted to edit the text file rather than just read it?

> Someone really needs to write a "getting started with building
> capability-based web applications" article that shows how to hook up

No, someone needs to write an idiots guide to capability systems without
formal notation to get people to understand this stuff. It also needs to
make sure that they don't include things like "unguessable" without
clarification of what that means, i.e. no abstract stuff. This stuff
isn't simple to understand, to me anyway, I've tried a number of times
to understand this stuff and I still don't. Seriously, if you want
people to start implementing capability systems, there needs to be
better documentation.

My interest lies in OSes and providing a better security mechanism
within one. So a few related questions here would be:

1) What would be the process of logging on to a capability OS (assuming
desktop or multi-user system rather than embedded)?

2) How does a user get these capabilities? I can only assume there would
be the concept of a user and they would have a list of capabilities.

3) What would happen if you tried to access a website, would it bring up
a ton of dialog boxes asking for permission, i.e. the Vista problem?

Thanks,
Luke.