On the sufficiency of capabilities

shapj@us.ibm.com shapj@us.ibm.com
Tue, 9 Nov 1999 13:18:38 -0500

In this thread I propose to butcher (and if possible barbecue) a sacred
cow: the notion that capabilities are sufficient in themselves, and the
assumption that other security models have nothing of value to offer.  As
you all know, I think that capabilities are important. I will preface my
butchery with a clear statement of *why* this is so, before turning to the
question of whether capabilities.  In the end, I will gather the concensus
into a new "introductory note", as these are getting read widely.

To keep the threads of the discussion separated, I shall send this note in
three parts, entitled:

     Why Capabilities and Persistence are Essential
     An MLS Challenge
     The Traceability Challenge

The first is an attempt to identify the conditions under which capabilities
(as opposed to other mechanisms) are necessary.  The second and third are
challenge problems that I believe cannot be satisfactorily solved using
purely capability-based designs.

Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Email: shapj@us.ibm.com
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 7595