[e-lang] Threat model of capability-based systems
daw at cs.berkeley.edu
Wed Feb 23 18:19:33 EST 2005
Julien Couvreur writes:
>Also, I'm still trying to get my head around the larger picture of
>capabilities. Some loosely connected questions:
>- Is there a example design for a large system such as the
>desktop or an email application? A comparison threat model might be a
>good thing, comparing a current and a capability-enabled design.
No, I'm not aware of anything of comparable complexity to a
production-quality web browser or mail client that has been built on
E in the capability style. I think having such an example could be
very useful at helping us evaluate the strengths and weaknesses of these
development methodologies, but we don't have such a case study right now.
Right now, I think the closest we have may be systems like CapDesk and
Polaris, so you could look at those as a starting point. Maybe others
will be able to suggest other examples as well.
If you read through old mailing list archives, you'll find that I seem to
be the designated skeptic on this list, and I have argued several times
that such a case study would have a lot of value. I'm often reluctant
to fully believe anything until I have seen reams of implementation
experience. However, we have to remember that putting together such a
case study is truly an *enormous* amount of work.
>- Could the concept of capabilities be used on the web (ex: an
>amazon cart access capability, a credit card capability,..)?
Yes. If you're not deeply familiar with x509/SSL certificates as they
are deployed today, the risks of PKI, SDSI/SPKI, and the like, it might
be easier to start by understanding these ideas in the software world,
but there are some analogues in the world of public-key cryptography and
the web. Look through old archives for this list and for the cap-talk
list for loads of discussion on this topic. There is way too much to
More information about the e-lang