From: "Mark S. Miller" <>
Replying To: Jonathan S. Shapiro <>
Date: Wed, 04 Dec 2002 13:49:57 -0800
Subject: Re: [e-lang] "Capability Myths Demolished" (was: Software security workshop)

At 12:58 PM 12/4/2002 Wednesday, Jonathan S. Shapiro wrote:
>The very earliest capability systems were segment-like systems. All
>required selectors. C-lists as sets was a mathematical modeling
>simplification used by Lampson; it's not clear that he ever meant these
>to really be used. The EROS confinement verification, for example,
>similarly treats nodes as sets because treating them as maps complicated
>the verification.

Your treatment of C-lists-as-sets was clearly not in order to propose that 
any actual system operate in this way.  Rather, it was a normal case of a 
model abstracting away detail not crucial for *that* model's purposes. As you 
say, the same is plausibly true of Lampson. (Though perhaps not of his 

>The POSIX capabilties API is definitely set based, as are Netscape's
>"Java Capabilities". I'm not clear about split capabilities. I don't
>have time at the moment to search my files on other systems.

We've all repeatedly agreed that Netscape "capabilities" and Posix 
"capabilities" aren't.   Alan's "split capabilities" already has an attached 
adjective that Alan introduced to distinguish these from normal 
capabilities. SPKI use C-lists-as-sets, but doesn't claim itself to be a 
capability system. I've only referred to SPKI as a "capability-like system".

At 11:31 AM 12/4/2002 Wednesday, Tyler Close wrote:
>Are you just moving the line somewhere else or are you erasing the
>line? Are you still proposing a name change for capabilities?

I was trying to move the line.   Unless we can find a line to draw between 
capability systems, with "our kind" all on one side of the line, then I 
think the whole exercise is pointless, and we should just stick with 

>The Levy book credits the Dennis and Van Horn system with the
>coining of the term "capability". This means full Granovetter
>functionality has been part of the term "capability" since the
>start. This makes it difficult to distinguish contemporary systems
>via an extension name.

If there are no C-lists-as-sets capability systems  (plausible), and if 
Dennis & Van Horn had full Granovetter invocation, then I see no remaining 
useful distinction. So, contingent on further evidence, I withdraw my 
suggestion. daw

Text by me above is hereby placed in the public domain


e-lang mailing list