From: Norman Hardy <>
Replying To: Jonathan S. Shapiro <>
Date: Wed, 11 Dec 2002 23:19:27 -0800
Subject: Re: [e-lang] Modelling Blindness (was: "Capability Myths Demolished" (was: Software security workshop))

Let me try to say something with minimal jargon. 
There are interesting things that you can prove about capability 
systems that entirely ignore the nature of the code that is subject 
to capability discipline (user code).
Many capability arguments indeed ignore the nature of user code.
In such cases it is appropriate to view capabilities as undesignated 
and undifferentiated (ambient?).

When you want to prove system properties that depend on the 
correctness of some user code,  then it is generally necessary to 
consider how that code explicitly names the authority that it 
invokes, lest the deputy be unable to express its intent.

Many in the military security community are unaware of arguments of 
the second form. shap 
Norman Hardy  <>
e-lang mailing list