I ran across your essay "What _is_ a Capability, Anyway?" after an altavista search. Thank you, it was most helpful.
After I read it, I began to think of some questions on my way to pick up my son from day-care. The questions came about when I began to relate capabilities and access control lists to familiar systems that seem similar. I wanted to get your reaction to where my thinking was heading. Maybe I'm all confused.
Basically, while I see the advantages of capabilities, it is not as clear-cut to me that capabilities are to be prefered to ACLs. Consider the following two access control systems: keyed entry (as in real keys on a key ring) and "swipe" cards (that you swipe through a card-reader to gain access). Now the former seems to be close to a capability system. The later more like an access control list - when you swipe the card, a computer looks up your id and verifies your right to entry at the given doorway.
So from here my questions developed. First I wondered about why it is that "modern' buildings seem to be moving more to swipe cards than keys (ACLs than capabilities). There do seem to be some advantages to the former:
These are obviously advantages of swipe cards over keys. My question is "do they extend to ACLs over capabilities?" You discussed the first of these (deletion) in your essay. What about the second? Capabilities seem stateless and so it is not clear to me how to do entry-count type access control.
My next question relates to how capabilities are granted in the first place. When I obtain a capability against an object o, does the owner of o not apply an access list type mechanism to determine if the capability should be granted? Back to the key example: utimately the building owner would apply a ACL type mechanism to determine whether to give me a building key.
I'm beginning to conclude that ACLs and capabilities are inseparable. There is a certain intermix ratio of how often ACLs are checked (to obtain capabilities) and how often capabilities are used.
Because of your essay and your research, I suspect you have a different opinion of all this and that is why I am writing. In particular, I'm especially interested in any references describing how a "pure capability" system grants capabilities without ACLs, and on your remark that it is impossible to build a capability-based system on top of an ACL system.
Thanks for any comments or pointers.