[cap-talk] Understanding capabilities in a web-desktop setting
David-Sarah Hopwood
david.hopwood at industrial-designers.co.uk
Mon Aug 11 11:18:43 CDT 2008
James A. Donald wrote:
> David-Sarah Hopwood wrote:
> > Whether I am designing a capability system, teaching
> > about them, or promoting them, I have no idea why I
> > would want to talk about "the powerbox user interface
> > pattern" *instead of* the more general principles that
> > the pattern supports.
>
> In the past, I have argued that capabilities are
> inappropriate for many problems. Those discussions led
> to more heat than light, and I see no point in
> revisiting them.
Capabilities are a *general-purpose* access control, communication,
and authorization mechanism. Their use doesn't preclude using other
access control mechanisms as well, but a system designer must choose
*one* mechanism as the basis of the system [*], if it is not to be
so overcomplicated as to preclude security from the start. At that
level, I see no viable alternative to capabilities that does not
introduce systemic weaknesses (in particular, vulnerability to
confused deputy attacks, and an inability to support sufficiently
small, mutually suspicious, protection domains).
[*] A "system" may be a language, operating system, hardware
architecture, network protocol, database, etc.
--
David-Sarah Hopwood
More information about the cap-talk
mailing list