[cap-talk] Capability essence (was: Re: A Taxonomy of Current Object-Cap Systems)

Lorens Kockum cap-talk-193 at tagged.lorens.org
Fri Mar 6 20:06:22 EST 2009


On Thu, Mar 05, 2009 at 11:37:29PM -0800, Jed Donnelley wrote:
> At 02:24 PM 3/5/2009, Mark Miller wrote:
> >
> > If a capability cannot be sent in a message, then the system isn't an
> > object-capability system. That's why I drew such attention to the
> > Granovetter diagram.
> 
> I hope we can all agree on the above.  A facility for communicating
> capabilities in messages is the one absolutely fundamental and
> mandatory aspect of any "capability" system, even beyond strictly
> object-capability systems as with capabilities as data.  Capability
> systems are first and foremost capability communication systems.
> 
> If there is any disagreement on the above I'd certainly like to
> hear it.

Would it be correct to say that if you do not communicate
capabilites to other processes, then the use of capabilities
is restricted to communicating between processes that have a
parent/child relationship? Such a system would theoretically be
useable if the processes proxied all the information, but that
would mean a lot of overhead (an unimaginable lot of overhead
in fact), so instead of proxying you want to communicate a
capability to your child/parent so that the two can communicate
directly.

Taking another angle: I see the communication of a capability
as saying "you can use the resource accessed through this
capability directly, without me proxying for you". If you remove
the communication of capabilities, you reduce the interactions
between your objects/processes so that everyone has to proxy
through (several) parent/child relationships. That reduction
could maybe be useful in security analysis of the system, but I
think the overhead precludes any implementation.

-- 
Lorens


More information about the cap-talk mailing list