Confusing The Deputy (was: Split Capabilities: Making Capabilities Scale)

[Jonathan S. Shapiro]

> I think we have a deep difference of assumptions and (dare I use the term)
> paradigms here.  For us, the most important lesson about the coherence of
> the capability programming paradigm is the Confused Deputy problem...

I agree that this one is real important, but I would personally rather see
this discussion framed in terms of principles:

    least privilege
    explicit denotation of authority
    it's either enforceable or it's not protection
    etc.

I view the "confused deputy" as one anecdote in a large space that
illustrates why these principles matter.

We should try to enumerate this principles list. I have tried on several
occasions with limited success. I suspect there are differences between the
E list and the EROS/KeyKOS list, and that these would be interesting to
explore together.

shap