Linux, IRIX, and "POSIX Capabilities"

Paul Snively
Sun, 07 Nov 1999 14:52:00 -0800

Ka-Ping Yee wrote:

> He had not heard of EROS, E, or
> KeyKOS before.  I am planning to send him some references (please
> suggest some good ones, and a good way to present them!)

I think MarkM's "Ode" is, by far, the best summary exposition of
capability-based security ever. It focuses on the right things (the
relations/transactions among entities), explicates the right things (that
focusing on the right abstraction(s) allows the construction of both
conceptual and software artifacts of astonishing generality), and addresses
the right things (why specifically capabilities strictly have greater power
than alternative approaches). All this in a very few pages, including the
"money" and "covered call options" examples.

I also think the "posix.1e confused deputy" example would be extremely

Unfortunately, I'm finding that the barriers to acceptance of capabilities
are indeed very high: I've spoken about them to the Los Angeles Java Users'
Group to at best lukewarm and, at worst, outright hostile reception; I've
urged respected professional technical journalists (Dan Gillmor at the San
Jose Mercury News, Nicholas Petrely (sp?) at LinuxWorld, and Michael Swaine
at Dr. Dobbs' Journal) to write about them and had only Dan Gillmor even go
so far as to toss back a one-sentence response indicating that I "made good

I'm curious, in general, as to what various members' take on the whole
question of our public face is, as thus far I've found evangelism rather
tough sledding.

One bright note: a client may be moving forward with a Droplets-based
application. Stay tuned!

Please reply to <> using PGP. My public key can
be found at <>. PGP can be found at
<>. Beginning 11/1/1999, unenciphered
e-mail will be immediately deleted unread. Thank you.