Capabilities by any other name

Mark S. Miller markm@caplet.com
Tue, 09 Nov 1999 16:12:37 -0800


At 02:32 PM 11/9/99 , Marc Stiegler wrote:
>"secure caps", wherein "cap" is the abbreviation for capability?

Well, we already use "cap:" for our capability URIs.  What do y'all think of 
http://www.erights.org/images/e-cap.gif as a 32x32 icon for a *.cap file 
containing a cap: URI?

(Of course, I have no doubt that Ping could do a vastly better job on the 
look of icon without even taking a breath ;) )

Why is the qualifier "secure" necessary?  If it ain't secure, surely it's 
not a cap or a capability.


More seriously, Hal's note got me thinking as well.  It turns out that even 
among proper historical usage, there's two different capability notions that 
need to be distinguished.  As we say in the Ode paper,

>The capability was first invented by secure operating system designers. It 
>started as a way to protect "primitive" resources such as memory segments 
>[Dennis66], but was soon generalized [Wulf74] into a protected ability to 
>invoke arbitrary services provided by other processes.

If I didn't care about how terms sound, I might suggest "memory capability" 
for what Dennis66 was doing, "invocation capability" for what Wulf through 
ourselves are doing, and if I understand it correctly, "ambient capability" 
for what Posix/IRIX/Linux and (separately) Netscape are doing, assuming (as 
seems likely) that we can't get them to reform their terminology.  The 
problem is that "invocation capability" sounds bad while "ambient 
capability" sounds cool.

I suspect that Wulf74 (the Hydra system) is not actually the origin of 
invocation capabilities, it's just the first among systems *I* studied.  
What is the right cite for the origin of invocation capabilities?  Lampson & 
Cal?  Perhaps naming them after their inventor would work (the "Lampson 
Capability"?).  Failing that, perhaps we refer to the "Lambda Capability", 
thereby making the widely unappreciated connection explicit.

I like Hal's point that, once introduced at the beginning of a paper, we 
could then refer to it in short form during the paper.  The short form could 
be either "capability", "cap", or, what we usually chose in the Ode paper, 
"ref".  "Capability" (or "Lampson Capability") is the security model.  The 
individual thing is better called a "reference" or "ref".

At 03:45 PM 11/9/99 , Ka-Ping Yee wrote:
>"The only `intuitive' interface is the nipple.  After that, it's all learned."
>     -- Burce Ediger, on user interfaces

So that's why none of the others are as much fun.


         Cheers,
         --MarkM