[cap-talk] Confused Deputies in Capability Systems - not
James A. Donald
jamesd at echeque.com
Sat Feb 28 19:53:54 EST 2009
(Marcus Brinkmann) on Thursday, February 26, 2009 wrote:
>> Capabilities can only survive in an isolated,
>> homogeneous environment. I think that this is a
>> serious limitation, which in my opinion severely
>> restricts the applicability of capability theory.
Bill Frantz wrote:
> This statement is wrong on the face of it. Any
> data-as-capability (e.g. WebKeys, SPKI authorizations,
> etc.) can be securely passed through systems, such as
> encrypted email, that are completely unaware of
> capabilities, let alone the precise capability system
> they represent.
If I understand E correctly, within a vat, capabilities
are objects, and between vats, they are opaque encrypted
data.
In a small, sandboxed system, such as a caja script
running in the browser, which is sandboxed against
acting contrary to the interests of the person viewing
the web page and no one else, capabilities-as-objects
are arguably the sensible way to go. In a larger
system, a network with multiple owners and multiple
conflicting interests, the case for
capabilities-as-opaque-encrypted-data becomes
considerably stronger.
More information about the cap-talk
mailing list