[cap-talk] Persistence as a cap value

[Sandro Magi]

James A. Donald wrote:
> Persistent capabilities are bad.  They are too valuable,
> therefore need too much protection, too much management,
> and your mother is not going to provide the necessary
> management any more than she does for ACLs. We should
> therefore always seeks ways of doing things that do not
> require persistent capabilities.

The opposing argument is equally simple. Since persistent capabilities 
can be dangerous if leaked, they would be factored into the narrowest 
authorities possible, thus mitigating the damage of any leak. Given the 
incentives, POLA is maximized in such an environment.

Non-persistent capabilities would lead to coarser-grained authorities by 
absence of the above incentives. Thus, I would conjecture that POLA in 
such a system would be strictly less than a system with persistent 
capabilities.

Choose your poison.

Sandro