Capabilities by any other name
Mark S. Miller
Tue, 09 Nov 1999 16:12:37 -0800
At 02:32 PM 11/9/99 , Marc Stiegler wrote:
>"secure caps", wherein "cap" is the abbreviation for capability?
Well, we already use "cap:" for our capability URIs. What do y'all think of
http://www.erights.org/images/e-cap.gif as a 32x32 icon for a *.cap file
containing a cap: URI?
(Of course, I have no doubt that Ping could do a vastly better job on the
look of icon without even taking a breath ;) )
Why is the qualifier "secure" necessary? If it ain't secure, surely it's
not a cap or a capability.
More seriously, Hal's note got me thinking as well. It turns out that even
among proper historical usage, there's two different capability notions that
need to be distinguished. As we say in the Ode paper,
>The capability was first invented by secure operating system designers. It
>started as a way to protect "primitive" resources such as memory segments
>[Dennis66], but was soon generalized [Wulf74] into a protected ability to
>invoke arbitrary services provided by other processes.
If I didn't care about how terms sound, I might suggest "memory capability"
for what Dennis66 was doing, "invocation capability" for what Wulf through
ourselves are doing, and if I understand it correctly, "ambient capability"
for what Posix/IRIX/Linux and (separately) Netscape are doing, assuming (as
seems likely) that we can't get them to reform their terminology. The
problem is that "invocation capability" sounds bad while "ambient
capability" sounds cool.
I suspect that Wulf74 (the Hydra system) is not actually the origin of
invocation capabilities, it's just the first among systems *I* studied.
What is the right cite for the origin of invocation capabilities? Lampson &
Cal? Perhaps naming them after their inventor would work (the "Lampson
Capability"?). Failing that, perhaps we refer to the "Lambda Capability",
thereby making the widely unappreciated connection explicit.
I like Hal's point that, once introduced at the beginning of a paper, we
could then refer to it in short form during the paper. The short form could
be either "capability", "cap", or, what we usually chose in the Ode paper,
"ref". "Capability" (or "Lampson Capability") is the security model. The
individual thing is better called a "reference" or "ref".
At 03:45 PM 11/9/99 , Ka-Ping Yee wrote:
>"The only `intuitive' interface is the nipple. After that, it's all learned."
> -- Burce Ediger, on user interfaces
So that's why none of the others are as much fun.