At 16:39 -0800 99/11/18, hal@finney.org wrote:
...
>Therefore ACLs can disallow irrevocable delegation while capabilities
>(by themselves) cannot.
...
A pithy concise statement. Thanks Hal.
Actually capabilities can but with penalties. <http://www.agorics.com/KeyKos/keysafe/Security.html#mandatory> describes a design that the NSCS thought met the requirements of mandatory security. The scheme described there might be characterized as not meeting the spirit of capabilities but it required no modifications to the capability foundations. There is a perormance penalty for systems that are constucted across the boundary, part in world and part in another.
Let me describe a simpler less expensive scheme here. This scheme is not characterized by a central point of security policy as was the above design.
Suppose that you wish to protect yourself from your own forgetfulness and for that reason wish to abdicate your ability to export irrescindable capabilities. This is done by putting a front end on the directory of capabilities to "other people's worlds". This is the tool that the internal mail system uses to send mail, or any other sort of signal, to some other agency, such as a person. It is the tool that the very first timesharing systems lacked when the goal was total isolation. It is the name space where "Alice" is evaluated. All capabilities from your realm to Alice's will be mediated by a rescindable version. A data base that knows that this is a line between you and Alice is in a position to "drop the iron curtain" and each of you will disappear to each other just as if you had been communications link that has beed destroyed. Of course the person that introduced you to the system may already have provided you with this weakened user directory. It is the umtimate "man in the middle". <http://www.agorics.com/KeyKos/Gnosis/103.html> describes something that was indeed implemented and serves as a intermediary between two worlds that introduces new imtermediaries as capabilities are passed across the boundary. It is the same mechanism used to transmit capabilities over wires. Norman Hardy <http://www.mediacity.com/~norm>