[cap-talk] capabilities as channels and as communication protocols

[James A. Donald]

Do people think that this description of capabilities makes sense?  I 
solicit criticism.

A capability is an object, object in the sense of "object oriented 
language", that combines unforgeable designation with permission - it is 
an object that enables an entity to do something, to do something to or 
with a very specific thing, the thing designated.

Capabilities are therefore most useful in managing very narrow and 
specific permissions, for example authority to access a particular file, 
or particular database view, in a particular way, and are therefore 
useful in implementing systems that operate in accordance with the 
principle of least authority.  A file handle should be, and often is, a 
capability.

But since a capability grants permission it in practice is also a 
communications channel, or the ability to open a communications channel, 
between two entities - thus for example a file handle is a 
communications channel between some program, and the highly privileged 
operating system software that has block level read/write access to the 
disk.

Further, each particular instance of such a communications channel has 
to have a protocol, thus each class of capability is also a 
communications protocol - instances of a particular class require a 
corresponding class definition at both ends.

Capabilities are issued by a program that has authority to do something, 
to other programs that do not have that authority, and then may be 
passed around between those programs - presumably passed around through 
secure communications channels - which communications channels may be, 
and usually should be, themselves capabilities.  Thus a capability may 
also be thought of as a communications channel, one end of which may be 
passed along a communications channel.

In a typical example of passing such things around, highly privileged 
code that puts up a file select dialog to the user would get a file 
handle from the even more highly privileged file system, and pass that 
file handle to less privileged code that does something with the file 
handle, less privileged code that does not have authority to get its own 
file handles to the files that the file select dialog can see, or even 
discover that these files exist, instead of the file select dialog 
passing the file name to code that has authority to open and modify any 
file it pleases by name.