[cap-talk] Confused Deputies arising from object capabilities
Karp, Alan H
alan.karp at hp.com
Mon Feb 4 11:46:40 EST 2008
Jed wrote:
>
> At this point I feel I have such a clear view of how
> these mechanisms are working, it seems a shame that I
> don't have an opportunity to work on architecting a
> system with them - e.g. a capability based system
> with some identity based controls (e.g. MLS).
Client Utility provided some aspects of this without relying on identities by using "negative permissions". These were capabilities that could make other capabilities unusable. The simplest case was compartments, such as when we want to prevent inadvertant mixing of rights from two customers. The use of any capability from one compartment disabled capabilities from the other.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list