[cap-talk] Capabilities giving up control?

[David Hopwood]

Toby Murray wrote:
> Jed, and others who believe that non-delegatable authorities can have no
> use in security:
> 
> Why does your drivers' license have your photo on it?

Because a driver's license represents (primarily) the authority to prove
that a named and photographed person can legally drive. If it were
delegated, it would still be the authority to prove that *that* person
can legally drive.

Suppose that a police officer stops my car while I am driving it. He's
stood at the side of the road to avoid the traffic, so I pass my
license to the front-seat passenger, who then passes it to the police
officer.

A non-delegatable capability would be akin to a license that I can't
let out of my hand for a second, even for the most trivial of delegations
like this one (which is exactly analogous to passing a capability via
some helper object that is trusted, but in a separate protection domain).

> Why does your passport have your photo on it?

Same argument as the driving license.

-- 
David Hopwood