[cap-talk] Understanding capabilities in a web-desktop setting
James A. Donald
jamesd at echeque.com
Sat Aug 9 01:45:55 CDT 2008
Ivan Krstić <krstic at solarsail.hcs.harvard.edu> wrote:
> Capabilities are currently hand-waving. Nothing more.
> They're mostly undocumented and unexplained. My calls
> on this list for a single cogent, coherent writeup
> with good non-hypothetical examples such as those from
> the Tahoe FS, went unanswered. Interested developers
> are reduced to joining an obscure and often
> exasperating mailing list to ask what the capability
> approach even means. Against this backdrop, ACLs and
> their known deficiencies look pretty damn good.
Therefore I recommend that one instead says "The
powerbox user interface pattern"
<http://jim.com/security/safe_operating_system.html> -
which pattern is related to using capabilities, and
related to the principle of least authority, but not the
same thing.
"The principle of least authority" sounds suspiciously
like popping up confirmation dialogs for everything, or
worse, as with DCOM security, stuff just mysteriously
not working for inexplicable and incomprehensible
reasons of security policy. The hard part is to do it
right, so that one never gets those dreaded confirmation
dialogs, and doing it right requires the powerbox user
interface pattern, and something that functions somewhat
like capabilities.
More information about the cap-talk
mailing list