From: Tyler Close <>
Replying To: David Wagner <>
Date: Thu, 5 Dec 2002 08:49:07 -0400
Subject: Re: [e-lang] "Capability Myths Demolished" (was: Software security workshop)

On Wednesday 04 December 2002 18:17, David Wagner wrote:
> Mark Miller writes:
> >If there are no C-lists-as-sets capability systems (plausible), and if
> >Dennis & Van Horn had full Granovetter invocation, then I see no remaining
> >useful distinction. So, contingent on further evidence, I withdraw my
> >suggestion.
> At risk of prolonging this longer than necessary,
> how about "true capabilities" vs. "Lampson-style capabilities",
> when one needs to make a distinction?

I think we now have more than enough evidence on the table to
prove that there is no such thing as a "Lampson-style capability". 
For 30 years, ACL researchers have been criticising a straw man.
It is long past the time when this straw man should be struck
down. Giving it a name and treating it as if it were an actual
mechanism can only extend its life. shap daw tyler

Unless there is an actual thing to be referred to by the name
"Lampson-style capability", there is no sense in the name. daw 

On Tuesday 03 December 2002 22:05, David Wagner wrote:
> I'm not sure whether I understand your position.
> Let's suppose, for the sake of argument, that the entire security
> community understands the term "capability" to mean one thing.
> Let's assume this was prompted by a misunderstanding, but is now an
> established usage.

You hold a position of respect within the security community. I
think it would be useful for you to take a position on this issue. daw 

> Now what?
> I see two strategies.
>  (1) Pin all hopes on reclaiming the word "capabilities" to mean what
>  you want, and put this in the critical path, so that you cannot succeed
>  in communicating the benefits of E-like systems to others until you've
>  succeeded in winning the terminology battle.
>         or
>  (2) Focus on communicating the positive benefits of E-like capability
>  systems, under any name, and leave the terminology battle to be pursued
>  concurrently or later or never at all.

I see a third strategy: running code and direct criticism.  This is
the strategy we have been pursuing to date and I think we should
stick to it. daw

We explain and show, with running code, that capabilities are
better.  Along the way, we directly criticize the gross failings of
the ACL model, and its research methods.

Given that there has been 30 years of "bogosity" surrounding
capabilities,  it is likely necessary that every paper that is
actually about capabilities contain a footnote about the Lampson
error. This should be sufficient to avoid confusion, without the
need to invent a history. alan_karp daw

> Let's put aside for the moment which seems more fair or historically
> accurate; if the goal is to persuade the security community of the value
> of E-like capability systems, which strategy seems most likely to achieve
> this goal?  If that's not the goal, why not?

The goal is to get capabilities deployed. daw 

If it is necessary to surrender the scientific process in order to
get the support of the security community,  then I really don't
know what value the security community can offer. Frankly, I think
correcting the 30 years of bogosity is necessary for the health of
the security community. This thing just gets more absurd as time
drags on.

e-lang mailing list