[cap-talk] Heresy: Confused Deputies do NOT Justify Capabilities

Jonathan S. Shapiro shap at eros-os.com
Fri Aug 22 12:26:18 CDT 2008 

On Fri, 2008-08-22 at 09:58 -0700, David Mercer wrote:
> I agree with the basic premise, but have some reservations as to it's
> operational safety.  If such authority designation objects are
> required with each call without a default authority object,
> programmers will almost find it unduly inconvenient, and not wish to
> use such a system.

If the core API were designed that way, someone would soon build an
overlay library.

>   If there is a default authority object, through
> either laziness or accidentally overlooking the need to switch
> permissions, the types of violations of POLA currently present is
> (nearly all) ACL systems would occur.

Yes, but this is the result of mis-designation, which is equally
possible in capability systems. We cannot, in principle, eliminate the
possibility of mis-designation. The best we can do is make designation
possible and limit the number of programs that arbitrate across multiple
sources of authority (and also the complexity of those programs).

>   It is the need to supply two
> references, to the object being invoked and the authority object that
> goes against natural programmer laziness.

I don't think there is any substantiating evidence known for this
statement.

>  Having to think about which
> authority object is appropriate to an individual call is an even
> greater cognitive burden.

In practice I do not believe so. Most programs will never care, and
those programs that do need to be very careful about this in any case.

>   Of course capabilites get around this by
> there being only one reference needed, and the fact that that
> reference automatically carries the needed authority, and hopefully no
> more.  The burden of deciding which authorities are needed for a
> particular call are factored out and need only be made once, instead
> of with each invocation.

This is actually *bad*. It precludes the possibility of an operation
performed on my object, on my behalf, by a trusted agent having greater
authority than I do.


shap

More information about the cap-talk mailing list