From: Mark Miller <>
Replying To: marcs <>
Date: Thu, 05 Dec 2002 16:35:21 -0800
Subject: Re: [e-lang] "Capability Myths Demolished" (was: Software security workshop)

At 03:39 PM 12/5/2002 Thursday, marcs wrote:
>[...] lambda-capabilities [...] I now propose that we call non-lambda, 
>non-designation capabilities "ambient capabilities".

This distinction is supported by  

At 08:14 AM 12/4/2002 Wednesday, Jonathan S. Shapiro wrote:
>A C-list isn't a capability. It is a collection of capabilities. One of
>the key differences in various capability system designs is whether
>C-lists are sets or maps.

As I mentioned earlier, lambda calculus demands C-lists-as-maps  (or, to 
paraphrase Jonathan Rees, "C-list indexes serve the same function in 
capability OSes as do names in the lambda calculus." (Anyone have the exact 
quote?)).  By contrast, in a C-lists-as-sets system, authority would 
necessarily be ambient.

Even if all actual capability systems are lambda-capability systems, since 
most formal models of capabilities  (including Lamport and SW) to date have 
been ambient-capability models, and since most people learn capabilities by 
learning these models, I return to thinking we should draw a line between 
capability systems: shap

    actual, C-lists-as-maps,  lambda


    as usually modelled, C-lists-as-sets,  ambient

Text by me above is hereby placed in the public domain


e-lang mailing list