[cap-talk] Unestos paper notes (was: Re: More Heresey: ACLs not inherently bad)

Mon Sep 1 11:31:16 CDT 2008

On Sep 1, 2008, at 12:55 AM, Jed Donnelley wrote:

> At 08:56 PM 8/31/2008, John Carlson wrote:
>
>>>
>>> I found this paper interesting enough that I'll share some notes
>>> from reading (sequential and loosely edited - be forewarned):
>>>
>>> 1.  "A first approximation of a POLP-friendly system is one based on
>>> capabilities, discussed in Section 3. Though capabilities have
>>> historically flummoxed application designers, we present a more
>>> familiar interface, based on the Unix file system."
>>
>> I was on IRC the other day on a channel discussing the development of
>> OGP,
>
> Is "OGP" the Open Graphics Project?
>
Open Grid Protocol

>> and one of the people there was moaning about caps.
>
> Can you check to see if that person was somebody who had done (or
> anticipated doing) programming with some capability interface?
> If so I'd be quite interested to learn what interface in what
> system.
>
I believe that OGP is a capability based protocol.  I am not sure if  
they were a programmer or not.

>> I'm not sure if they were an application designer, but they
>> seemed mildly annoyed at the "complexity."
>
> In the abstract any POLA mechanism seems more complex until you
> consider that it's simply parameter passing.  The capability
> aspect is to simply block access to ambient authority (e.g.
> global variables).

Sometimes you have to provide global variables (search) to bootstrap  
communication.  People can opt-in their global variable.

>
>
>> Proxies are annoying, perhaps.
>
> Were proxies (i.e. insertion/virtualization) discussed?  If
> so I'd be interested to hear the context.  It certainly seems
> to me that having the option to do insertion (e.g. replace a
> file with a pipe) is a value, though having to program the
> inserted code (e.g. handle the pipe communication) can of
> course cost additional code.

No, that was just my comment.  I was more talking about providing the  
feature of revocation.

Providing security is more complex than not providing security.  But  
it has value.
Ideally, security would be practically transparent, and provided by  
the infrastructure.  I don't need to know a whole lot of technical  
details to use SSH and HTTPS--They are practically as easy as RSH and  
HTTP.  If I encrypt my files on my disk, I don't need to know the  
details of the algorithm.  I would be glad to hear of ways to make  
capability security more transparent to application designers.  What  
things can be hidden from the application designer, and which patterns  
must the application designer learn?  Someone can use keys without  
being responsible for making them.  If a key is merely a reference,  
then is should be as easy to use as a normal reference.

Remember the application designers are not typically systems designers.

John