[cap-talk] What sustained interest in capabilities

[David-Sarah Hopwood]

Rob Meijer wrote:
> On Mon, December 29, 2008 20:09, David-Sarah Hopwood wrote:
> 
>>> The "impedance mismatch" is also far less of a problem than it may
>>> seem, it turns out, for reasons I won't elaborate on in detail here,
>>> but in brief it's because once you wrap an external ACL-based service
>>> in a capability (which can have arbitrarily complex code controlling
>>> access), the laws of capability authority transfer then take over.
>>> You really don't have to think in terms of ACLs at all, or the fact
>>> that the service itself is unaware of the capability wrapper, from the
>>> POV of the layer it is pure capabilities.
>>
>> I disagree. Complexity is the enemy of security, and it's not possible
>> to make a system simpler by adding layers. Since an ACL layer is
>> typically already too complicated, it is only by removing such layers
>> that we can obtain a high degree of confidence in the security of the
>> whole system.
> 
> I think it is definitely possible to make a system simpler by adding
> layers, in fact layering is an important tool in keeping complexity
> manageable.

Not in the sense of overall implementation complexity of the universal TCB.
I should have been clearer that that is what I meant.

-- 
David-Sarah Hopwood ⚥