[E-Lang] Summary for Practical Programming
Jonathan S. Shapiro
Sat, 3 Feb 2001 17:20:11 -0500
I'm sure. There have been a number of systems that did implicit capability
reference, among them CAP (though only in memory context). Also a number
that in practice (i.e. in the real system) were fairly profligate about
handing capabilities around.
However, I think we can restate this as follows:
6a) We all agree that POLA is a desirable design objective, and that
capabilities inherently convey "narrow" authorities, in the sense that they
name only one object at a time (in contrast to user ids as basis for
protection, which name multiple objects at a time).
6b) We all agree that explicitly designating authority at the locus of use
imposes a style of use that simultaneously tends to reduce the number of
authority misuse errors and renders them easier to locate, identify, and
repair. We agree that capability systems (via C-list indices) lend
themselves to such explicit designation.