[cap-talk] "Ambient capability"

Sandro Magi naasking at higherlogics.com
Mon Jul 13 12:45:11 EDT 2009 

Toby Murray wrote:
> I also suspect we have a more precise meaning with some of the
> terminology we use. In particular, Dmbarbour's use of the word
> "capability" appears to be more inline with the everyday use of the term
> along the lines of "ability" or "power". 
>
> Some of the discussion on the erights wiki has involved making
> distinctions between "secure" and "insecure" capabilities, namely ones
> that cannot and can be forged respectively. In this sense, there is no
> such thing as an insecure capability in a capability-based system,
> including all object-capability systems.

I don't think so. dmbarbour added the "secure" modifier to "capability"
once, when referring to object capabilities, and such a modifier does
not inherently change its meaning; he never mentioned "insecure"
capabilities. You might consider the use of the modifier as implying a
belief in "insecure" capabilities, but he never mentioned such a thing
explicitly, so I'm not sure that's a fair inference; there was also no
discussion of forgery that I saw, beyond mention that capabilities are
unforgeable.

Everything he wrote on the talk page implies a proper understanding of
object capabilities, though the terminology he used is not common on
these lists. The main source of confusion was the term "ambient", for
which capability and programming language folks would infer different
meanings.

>From my experience with dmbarbour's writing, he provides significant
detail when making a point, but covers so much ground from various
angles that it's sometimes difficult to follow the argument or
understand exactly where he's coming from. It makes sense that the
"ambient" he is referring to comes from the process calculus tradition,
since his Awelon language focuses on secure distribution and mobility.

There might be a meaningful abstraction dmbarbour is trying to point
out, I just don't think "ambient capability" is a good name for it, and
it would probably require too much explanation on the erights wiki for
it to be appropriate to hash it out there.

> There probably should be some policy discussion regarding the "focus" of
> the erights wiki. Is it focused mostly on:
> 
>  - E?
>  - Object-capability security?
>  - Capability-based security?
>  - Programming-language-based security?
>  etc.

A clarification might be helpful. I could see a new term having a place
on the wiki, assuming it was phrased in terms of E and existing
capabilities work, even if only to show where further work is required.

Sandro

More information about the cap-talk mailing list