[cap-talk] What sustained interest in capabilities

[David Wagner]

David Hopwood writes:
> I don't find that this platitude tells me anything useful about how to
> design systems.

It's not intended to.  What's intended to suggest is that there is not One
Right Approach to the design of secure systems.  The best design usually
depends upon context and on the requirements.  In some settings, a design
along the lines you sketch may be the best one.  In other settings, a
design along the lines that Mitsu may be the most suitable.  That's fine.

I think the object capability community should encourage and welcome all
efforts to explore the design space, including -- but not limited to --
the kind of approach that Mitsu is advocating, as well as the kind of
design that you are advocating.  This is not a zero-sum game.  I think
it's exciting that Mitsu and company are exploring object capabilities
in their application and I look forward to learning more about what
they've been doing, when they can say more.

Of course it's no surprise that I believe there can be value in
replacing one layer and everything above it with something based
upon object-capabilities, even if the underlying layers are not.
That's more or less how Joe-E works, for instance, and Joe-E is hardly
unique is this respect.

Another claim: a system does not need to solve all problems or provide
the maximum possible level of assurance to be interesting and valuable.
If it provides a comparable level of assurance as existing systems,
but at lower cost or with greater usability/flexibility, that's useful.
Similarly, a system that eliminates some classes of risks can be useful
and interesting, even if it does not eliminate all of them, particularly
if we did not previously know how to eliminate those risks at reasonable
cost.