[cap-talk] Confused Deputies in Capability Systems

David-Sarah Hopwood david.hopwood at industrial-designers.co.uk
Sat Feb 7 16:01:59 EST 2009

Sandro Magi wrote:
> Analogously, the Waterken server amplifies a URL to an actual object
> reference when it serves a request on that object, so it too must
> authenticate the input. This is a problem with capabilities-as-data, but
> not object capabilities.

No, this is just part of the implementation of the capabilities-as-data
system. The Waterken server validates/authenticates URLs; a Waterken
application doesn't need to.

More generally, both cap-as-data and object-cap systems need to validate
capability *representations*, or ensure that invalid representations
cannot exist. If an invalid representation can exist then it must not
be usable, and that must not depend on an application validating it or
being able to validate it, or on whether the application has access to
the representation as data.

David-Sarah Hopwood ⚥

More information about the cap-talk mailing list