Seeking designs for a capabilities-based multi-user system

Jonathan S. Shapiro shap@eros-os.org
Sun, 23 Jul 2000 12:59:48 -0400 

Steven: Welcome.

> If I can loosely summarize for the pop-science
> audience, a capability is sort of like a combination of:
>
>      a promise of some programmatic service or information
>      a digital signature that identifies and verifies it
>      a URL (effectively) pointing to the object that can provide the
service

I think that "pop-science" descriptions are very valuable, because most of
the people who read these lists don't know the subject matter already. That
said, it's important that the "easy" definitions don't get people misled. I
think that yours run this risk, but I like the idea and I want to suggest an
alternative approach.

First, an error. A capability conveys no promise of any programmatic service
or information. What a capability conveys is the right to *request* a
service or a piece of information. It cannot guarantee that the program
being called is correct, nor that it will respond with a good answer, nor
even that it will respond at all. Capabilities promise *access*, not
*correctness*.  My suggestion is just to eliminate this from your
definition.

Second, capabilities are not built on digital signatures. E-speak
capabilities (if I have understood Alan correctly) do use signatures. E,
EROS, and KeyKOS do not. I think a better way to say this is to say
something like:

    Capabilities are protected. You cannot "make
    them up", and you cannot change them.

You can then say that different systems enforce this in different ways; some
by digital signatures, others by "pointer safe languages" and still others
by partitioning.

Finally, I think that you definitely don't want to describe a capability as
a URL. If anything, it's the other way around -- a URL is a very bad
approximation to a capability (because in general it isn't protected, from
modification but see below). Perhaps a better way to say this is to say:

    a capability names an object or service

You can, if you wish, say that cryptographic capabilities can be encoded in
URL's. Check out the droplets work by Tyler Close and the encoding of object
references in Lotus Notes.

> ... one thing I'm still shallow on is how you'd use
> them in practice, how you'd design the implementation of a system
> using capabilities.

I think the answers are different for programming languages than they are
for operating systems. We have some reasonable examples of programming
languages that are pointer safe. MarkM, Alan, Norm and I have been debating
type systems in the last few weeks, but in a larger sense we are all pretty
much on the same page.

In the operating system context, this is one of the areas that I hope to be
working on.

I also think (and I hope MarkM and some others will chime in on this) that
multiuser stuff is approximately where the boundary starts between what I
think of as safe pointers and what I think of as operating systems. At the
boundary we may need to invent some new technologies.

>      Has anybody coded, designed or done any brainstorming on how
> you'd do something like this?  I'd really be interested in reading it.

Can somebody point him to papers on Habitat and/or the work at Communities?

shap