[cap-talk] Capabilities for immutable data
David Wagner
daw at cs.berkeley.edu
Tue Feb 22 03:00:33 PST 2011
Viswanathan, Kapaleeswaran (HP Labs India) wrote:
> (Principle of Configured Authority) If M and M' are (possibly identical)
> implementations of a module (or function) such that M can cause effect E
> on R while M' cannot cause effect E on R, then M has the authority to
> cause E on R.
Yes, that was what I was driving at, as a first attempt at a
definition of "authority".
(I don't know what "Principle of Configured Authority" means.)
> The role of this principle in system design is primarily to ensure that
> security configurations (or decisions) are not hard-coded.
It is? I'm afraid you lost me here. I would not call it a
principle at all. Rather, it is a definition -- a definition of
what we mean by the word "authority".
(Or, at least: it is an attempt at a definition. The definition might
suck, for all know; I haven't given it sufficient thought to be strongly
attached to this definition. But it's an attempt at defining what we
mean by "authority".)
The rest of your message left me confused, and does not sound like
my understanding of the topic, so I suspect some miscommunication.
My apologies if I have not been very clear.
Since I suspect miscommunication, may I ask whether you've read some
of the introductory material on capabilities? I recommend Mark Miller's
thesis as a starting point, or at least Chapters 1, 2, 3, 4, 5, 8, 9.
http://www.erights.org/talks/thesis/
Also, if it is helpful to you, I have a talk on object capabilities:
http://www.youtube.com/watch?v=EGX2I31OhBE
http://www.cs.berkeley.edu/~daw/talks/TRUST07.pdf
If you're not familiar with these, I would suggest reading them before
continuing; I think it may help establish a common vocabulary.
> In other words, how can the gap between "authority" and "capability" be
> linked?
A capability is a permission. See MarkM's thesis for the connection
between permission and authority, especially Section 8.1.
> Today, capability is defined informally as a "unforgeable
> transferable token." Some property of an object is considered as
> capability according to this definition while we are interested in the
> effect that this object can cause on a system than in the object itself.
I would say, it is an "unforgeable transferable reference".
A capability is a reference to an object, not the object itself.
The second sentence lost me.
> What is the link between "authority" and "permission"?
There is a discussion of this in Mark Miller's thesis,
in Section 8.1.
More information about the cap-talk
mailing list