[cap-talk] What sustained interest in capabilities

Mitsu Hadeishi mitsu at syntheticzero.com
Sat Dec 27 18:39:42 EST 2008 

Hi,

I used to be CTO of the same startup where Monty still works (I've  
since left but have retained my interest in capability security).   
I've been skimming this list but I thought I'd throw in a comment.   
One thing I've noticed with some of the capability security efforts is  
the desire to create a top-to-bottom capability security system, i.e.,  
an entire operating system based on capability security, or an entire  
general purpose language like E.  However, we found that it was quite  
possible to implement capability security just at a specific layer of  
a system, so that one can combine ordinary ACL-based security with  
capability security principles to gain many of the benefits of cap  
security without having to make every cooperating system capability  
secure.  For example, while Java itself is of course not capability  
secure, one can easily implement a capability secure layer in Java  
which the users of a given program, service, etc., can use, and this  
gives you a wide variety of benefits that are next to impossible to  
attain with traditional ACL-based on role-based security.  In other  
words, capability security can be applied to just a layer of a system,  
even when most of the rest of the system remains ACL- or role-based,  
as long as the layer itself is consistent in the application of  
capability security.  It's not at all necessary for every subsystem to  
use capability security for this to give you a wide variety of  
powerful benefits, which I won't outline at length here.  I think this  
strategy ought to be applied far more frequently; it's actually quite  
surprising how little penetration capability security has had in the  
mainstream security world, when in fact it is something that could be  
applied right now to many real world systems using existing  
technologies (i.e., like Java) without having to migrate everything  
over to something like E.

Mitsu

On Feb 22, 2008, at 9:31 AM, Monty Zukowski wrote:

> You got it exactly right.  After the login, all security is  
> capability based.  When a user logs in they have a set of  
> capabilities they manage, either creating new ones or using ones  
> that others have assigned to them or their existing objects.
>
> Monty
>
> On 2/21/08, Jed Donnelley <capability at webstart.com> wrote:
> At 08:07 PM 2/21/2008, Monty Zukowski wrote:
> >...
>
> >Right now I'm at a startup co-architecting a visual programming
> >environment which I'm trying to base on many ideas from Mark's
> >thesis.  All the objects exposed through our environment are
> >capabilities.  Security beyond the initial login is authority based.
>
>
> Can you explain what you mean by "Security beyond the initial login
> is authority based."?  Do you mean that all access control beyond the
> initial login is capability based?
>
> --Jed  http://www.webstart.com/jed-signature.html
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20081227/c99847b5/attachment.html

More information about the cap-talk mailing list