[cap-talk] Properties of capabilities (was: Re: Derivative rights)

Jed Donnelley jed at nersc.gov
Wed Feb 6 13:30:13 EST 2008 

On 2/5/2008 2:38 PM, Toby Murray wrote:
> I'd like to argue against the "filenames are capabilities" idea from a
> formal perspective. (This argument applies equally to other similar
> strings presented earlier in this discussion, which I'll admit I haven't
> been following closely.)
> 
> 
> Formally speaking, the fundamental property of a capability is:
> 
> One object, o, can directly access another, p, if and only if o
> possesses a capability that names p.
> 
> With filenames, (presuming open() is the only way to access files), we
> have that:
> 
> one object (program), o, can directly access a file, f, only if it knows
> a name that designates the file. 
> 
> But we do not have
> 
> one program, o, can directly access a file, f, if it knows a name that
> designates the file.
> 
> Because filenames do not have the "if and only if" property, they are
> not capabilities.

I don't think you are going to get at the essence of Ross's argument,
because he can just say that the operation that constitutes "access"
is the attempted open - without success.  E.g. suppose that in some
system if there is an attempt to open a file that fails, the last
access (or last failed access) time for the file is updated.  Even
this minor state change would of course constitute an operation on
the file. Even without such a change Ross has been arguing that the
file name does enable something (the open effort) that wasn't
available previously.

> Forgeability and other ideas get into the details of how entities may
> come to possess capabilities and how they may be passed around. These
> details can vary for different capability systems (e.g. those that do
> and do not respect the object-capability model, for example). But the
> fundamental property of a capability, as I see it, is that stated above.
> Filenames do not satisfy it and, hence, cannot be capabilities. (At least
> not in conventional systems like Unix/Windows etc.)

I don't see any hope for making this a black and white situation.
Tokens can have properties of capabilities that can vary
from none to clear and definite.  I think we all agree
(I hope including Ross) that file names and simple URLs
that require an authentication step (e.g. my:

https://wiki.nersc.gov/

Try it Toby) fall into the category of having essentially
none of the important properties of capabilities.

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list