[e-lang] Threat model of capability-based systems

David Wagner daw at cs.berkeley.edu
Wed Feb 23 18:19:33 EST 2005

Julien Couvreur writes:
>Also, I'm still trying to get my head around the larger picture of
>capabilities. Some loosely connected questions:
>-          Is there a example design for a large system such as the
>desktop or an email application? A comparison threat model might be a
>good thing, comparing a current and a capability-enabled design.

No, I'm not aware of anything of comparable complexity to a
production-quality web browser or mail client that has been built on
E in the capability style.  I think having such an example could be
very useful at helping us evaluate the strengths and weaknesses of these
development methodologies, but we don't have such a case study right now.
Right now, I think the closest we have may be systems like CapDesk and
Polaris, so you could look at those as a starting point.  Maybe others
will be able to suggest other examples as well.

If you read through old mailing list archives, you'll find that I seem to
be the designated skeptic on this list, and I have argued several times
that such a case study would have a lot of value.  I'm often reluctant
to fully believe anything until I have seen reams of implementation
experience.  However, we have to remember that putting together such a
case study is truly an *enormous* amount of work.

>-          Could the concept of capabilities be used on the web (ex: an
>amazon cart access capability, a credit card capability,..)?

Yes.  If you're not deeply familiar with x509/SSL certificates as they
are deployed today, the risks of PKI, SDSI/SPKI, and the like, it might
be easier to start by understanding these ideas in the software world,
but there are some analogues in the world of public-key cryptography and
the web.  Look through old archives for this list and for the cap-talk
list for loads of discussion on this topic.  There is way too much to
repeat here.

More information about the e-lang mailing list