[cap-talk] Hybrid systems - definition clarification

[Jed Donnelley]

At 08:13 AM 2/4/2008, Mark Miller wrote:
>On Feb 3, 2008 10:39 PM, Jed Donnelley <capability at webstart.com> wrote:
>
> > I have been increasingly puzzled by what that term
> > "hybrid capability system" means.
>
>A system with both ACL and cap logic, where an access is allowed only
>if it is allowed by both ACL and cap rules. Thus, the set of allowed
>action are the intersection of ACL-allowed actions and cap-allowed
>actions.

This is why I asked about a Horton system with an ACL
mechanism as the internal state (PDP).  Such a system is
still, in some sense, pure object capability (all delegations
are by capability communication and all requests for
authority are by capability invocation), but it has
the above property of allowing actions by what I
would regard as an intersection of cap-allowed (the
delegations, invocations) and ACL-allowed actions
(changing state within the PDP via capability
allowed invocations which may change the state -
e.g. add or remove some ID from an ACL).

Is such a system "hybrid" or not?  It's interface
is pure object capability, but behind the scenes
(in the state of the objects/servers) it is
managing ACLs.

Just to be clear, I'm definitely not trying to
be confrontational.  I just want to know what the
definition is so I can understand what people are
saying.

>Classic examples include SCAP, ICAP, and the so-called
>"unauthorized capabilities" of System/38 aka AS/400.

Sorry I don't have time to look further into the above
examples to tease out their "hybrid"ness at this time.
Perhaps if somebody could give a brief example that
would focus on the distinction I'm trying to make above?
Namely the distinction between what amounts to the API
(capability invocation and delegation) and state
manipulated by object/servers.

--Jed  http://www.webstart.com/jed-signature.html