Notes and capabilities
Wed, 10 Nov 1999 13:48:21 -0500
Domino capabilities are sometimes used for permission transfer. It is
common to insert into a piece of mail an object reference (which is in fact
one of these URLized capability thingies) to send a reference to a
particular object to someone else. Just FYI, "thingies" is a technical
I think that the purist position in this list is resulting in some
revisionism. There have been many many systems that have used hybrid
protection mechanisms, wherein authority required both posession of a
capability and *also* authorization via some other mechanism such as ACLs.
That is, designs in which posession of a capability was necessary but not
sufficient. In such systems, the descriptor held by the process is
properly referred to as a capability; this has been the convention in the
literature for the last 30 years. The system as a whole, however, is
generally not considered a capability system.
Thus, the Domino URLs are in fact capabilities, whether or not Domino also
uses an ACL system.
I never claimed that Domino was a capability system. I said that the
encoding of capabilities in URLs in the style that Droplets encodes
capabilities had been done before in Domino. Whether Domino uses ACLs or
accomplished authority transfer using these capabilities is not germaine to
whether they ARE capabilities.
The fact that the encoding has been done before doesn't detract any from
Droplets. It merely falsifies the minor claim that Droplets is the first
system to encode capabilities this way.
Actually, the association with Domino may be a good thing for Droplets.
Not every aspect of Domino is beloved by its users, but the object encoding
seems to work reliably.
Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595