[cap-talk] Scope/span of capability systems (esp. as data), network reach

Marcus Brinkmann marcus.brinkmann at ruhr-uni-bochum.de
Tue Mar 3 06:53:45 EST 2009

Jed Donnelley wrote:
> At 11:16 AM 2/27/2009, Marcus Brinkmann wrote:
>> Jed Donnelley wrote:
>> ...
>>> I do!  That is where my view about capabilities as data such as
>>> YURLs/Web keys becomes most relevant.  As I've noted my best hope
>>> for advancement of IT systems via getting closer to least privilege
>>> sharing comes through such networked capability systems.
>> I think that is a mildly optimistic view :D but it seems to explain the
>> differences between you and me.
>> So let me see how you think it could work out.  Let's assume your vision is
>> realized, then it should be possible, I guess (if not, why not?), that you
>> send me per email a capability that designates the authority to make deposits
>> to your bank account (presumably in a US bank).  I further assume that I can
>> get or already  have a capability to my bank account (in a German national
>> bank) that allows to make withdrawals.  Would I be able to use these two
>> capabilities to transfer 1 EUR from my account to yours?  Where is the service
>> located that I would need to use to do that?  Who owns and runs that service,
>> and who pays for it?  Who regulates it?
> This doesn't seem to me a very interesting example, because we 
> essentially already have such "capabilities".  Of course I would only 
> send you a "deposit-only" capability to my account.  This is 
> essentially an account number.  You could send me such a capability 
> to your account.  I could deposit into your account by using my full 
> access capability (typically in current electronic form with 
> username, password, various registered info, etc.) and the deposit 
> only account that you sent to me.
> The service is of course provided by the banks.  Nothing new there.

But the account number is *not* a capability.  It is pure designation.

I picked this example because transferring money from one account to another
can be seen as a single operation that involves two capabilities (at least)
which likely come from very separate domains (separated by organization, even
by nation).  A system where such an operation would be implemented by
capabilities (real capabilities, not by can-be-seen-as-such designation) seems
virtually impossible to achieve to me, for many practical reasons.

The service of international money transfer seems to be quite complex.  It
takes weeks, money is moved across several organizations, and you have to pay
a premium to get any guarantee that it will even arrive.

>> Would it work also if I were to live in Cuba or N. Korea instead of Germany?
> Certainly, with the usual issues of currency conversions.  While I've 
> only done such transactions electronically recently with US banks, 
> when I lived in Germany in 1994-1995 I did some cash movements 
> between US and German banks.  I expect there are such facilities that 
> are purely electronic these days.  Not?  Is Ing Direct available in 
> Germany?  I could send you a $1 and you could send it back (or send 
> me a Euro, my profit ;-) if you'd like to experiment.

The reason I picked Cuba and N.Korea was to amplify the practical differences
in agreeing to a single world-wide capability system.

> I prefer working with files and directories as examples because these 
> are the main objects managed by the current market leading OSs of 
> Windows, Mac, and Unix.

But nobody needs capabilities to share files and directories from such
systems.  Between internal distribution, public distribution and sending
copies around by email all common use cases I can think of are covered.

Let's imagine that for some reason (which?) we decide that transfering files
by capability is a good idea.  Then you send me a directory capability of some
good music you recorded, and I want to copy it to my own storage for later
access.  Now, either you have your computer turned on 24/7 and have special
expertise or a maintenance contract for somebody to take care of the server
software on your computer, or you are using a web service, say Google Drive,
for those files.  But I don't trust Google and use Tahoe instead.  How do the
capabilities (and/or the data) move from Google to Tahoe?  Now we are getting
closer to an example that is similar to the money transfer example.

Again, I can easily see how this could be made to work if we both use Google
Drive, or in general the same service provider.  I don't see it scaling across
multiple providers.

The advantage of the money transfer example is that it is an important real
world use case for common people, while the example involving files seems
contrived to me.


More information about the cap-talk mailing list