[E-Lang] E FAQ

David Wagner daw@cs.berkeley.edu
Sun, 14 Oct 2001 23:48:41 -0700 

[Forwarded with permission.  --MarkM]

> Not much, in the sense that I have a trivial answer.  I've been coding in a 
> capability style on and off for over a decade, and therefore in a style in 
> which revocation needs to be explicit.  Two observations make me think that 
> capabilities got this right: 1) Most capabilities never need to be revoked.  
> 2) When they do need to be revoked, the lifetime till revocation has never, 
> in my experience, been based on call-return (even though such a lifetime 
> would be easy to code, and would in theory seem to be coherent and useful).

Thanks.  Those are useful observations -- just the sort
of experience needed to answer the sorts of questions
I was asking.

(I should say that it might also make sense to ask, not only
how early does a capabilities *need* to be revoked, but also
how early can we revoke it, i.e., how soon can we say that
the callee will never need it again.  Lest the distinction
seem unimportant, my interest in the latter is on POLA grounds.)

> Do you also agree that principal-orientation has the problems I point to?

Sure.

> But I'd say this applies to capability systems in general, both languages 
> and OSes, rather than just E.  While my ego is tickled by "E-like capability 
> systems", I don't see why the qualifier is needed.

Well, it's only matter of definitions.  I use the qualifier
to avoid confusion with the other sorts of systems that have
called themselves capability systems but that you probably
would not consider a full-blow capability system.

I've see the phrase 'capabilities' applied to systems where
references do not convey authority.  If my recollection is
correct, some of the early systems (like Hydra) passed the
capability as a separate token.  And from time to time I hear,
e.g., Kerberos tickets described as a "distributed capability".

And it seems the key feature of E's capabilities, from which
most (all?) of the good properties flow, is that object references
serve double-duty as both pointers and as authority, so we would
not want to confuse Hydra, Kerberos, and so on with an E-like
architecture.

For some of us in the OS security taught about these systems,
the notion of a capability system is broader than just E-like
semantics.  I'm sure the "E-like" qualifier is redundant for
some audiences, but not -- I think -- for all, and I'd rather
be redundant than risk confusion.  Does this seem reasonable?

-- David