[cap-talk] What sustained interest in capabilities

[David Wagner]

Mitsu Hadeishi <mitsu at syntheticzero.com> writes:
> In other words, what I am saying is that using capability security  
> today, now, can be done in practical, usable systems which allows a  
> huge class of risks to be eliminated.  The point is this is *extremely  
> useful*.  It is not that it completely eliminates all risk.

I agree 100%.  A system might not be perfect, but if it is
useful, great!

Put another way, systems security is often about tradeoffs: e.g.,
tradeoffs between the level of assurance you want vs cost (or other
considerations).  I think David Hopwood's argument may make sense where
assurance is paramount and takes precedence over other considerations,
but I think it's also interesting to look at other points in the
tradeoff space.

Put yet another way, I think there's room in this town for both
approaches: both for hard-core, no-compromises, security-is-everything
ground-up re-design of all layers, as well as approaches that replace only
a subset of the layers and may be imperfect but are useful and deployable.
Both kinds of work are valuable and should be welcomed and encouraged.
Let a million flowers bloom.