[cap-talk] password capabilities & object capability model?
toby.murray at comlab.ox.ac.uk
Thu Aug 21 06:35:15 CDT 2008
On Tue, 2008-08-19 at 07:12 -0700, Mark Miller wrote:
> On Tue, Aug 19, 2008 at 3:06 AM, Rob Meijer <capibara at xs4all.nl> wrote:
> > Currently I talk about MinorFs as a 'capability based' system.
> > MinorFs in contrast with most recent capability based systems that
> > advocate to be 'object capability' systems, uses password capabilities.
> Sorry, but this very common and useful category of capability system,
> even when used in an object-oriented style, is neither an
> object-capability system nor a password capability system.
> It isn't ocaps, since references are unguessable rather than
> unforgeable. Put another way, access is based on what you know rather
> than what you have. Knowledge can be transfered even through one-way
> bit channels, and so the star properties are impossible.
I would phrase the distinction differently. A capabilities-as-data system allows capabilities to be transferred over any bit channel. Hence it doesn't enforce "only connectivity-begets-connectivity" and hence is not an ocap system.
This gets at the heart of the problem. The unforgeability vs unguessability is a red herring imo.
> As I was first using the term "password capabilities", it is a
> password capability system, but the Monash system is not. But then
> (years ago on cap-talk) Toby pointed out that the term "password
> capabilities" was coined by the Monash system to describe what they
> were doing. I agree that this historic claim does and should take
So do I, except i also recognise that pragmatically, "password
capability system" has become synonymous with "capabilities-as-data
system" (which is my personal preference.)
> For what you are doing, the proper historic term in the literature,
> (first?) used by Amoeba, is "sparse capabilities".
Agreed. Sparse caps are a sub-category of "caps-as-data".
> I sometimes use
> that, but I prefer "cryptographic capabilities" or "cryptocaps". Also
> used on cap-talk (and I think first suggested by Jed Donnelley):
> "capabilities as data". But it's quite a mouthful.
> If you only have authenticity but not unguessability, then perhaps
> YURL. If only unguessability without authenticity, then perhaps
> "webkey". If both, I recommend "cryptocap".
Cryptocap suggests cryyptography, no? which is not an essential feature.
More information about the cap-talk