[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cap-talk
Subject:    Your essay: What is a Capability, Anyway?
From:       Gregory Frascadore gaf () objectGuild ! com
Date:       1998-03-10 7:00:52
[Download RAW message or body]

Jonathan,

  I ran across your essay "What _is_ a Capability, Anyway?" after an altavista
search. Thank you, it was most helpful.  

  After I read it, I began to think of some questions on my way to pick up
my son from day-care.  The questions came about when I began to relate
capabilities and access control lists to familiar systems that seem 
similar.  I wanted to get your reaction to where my thinking was heading.
Maybe I'm all confused.

  Basically, while I see the advantages of capabilities, it is not as clear-cut
to me that capabilities are to be prefered to ACLs.  Consider the following
two access control systems: keyed entry (as in real keys on a key ring) and
"swipe" cards (that you swipe through a card-reader to gain access).  Now
the former seems to be close to a capability system.  The later more like
an access control list - when you swipe the card, a computer looks up your
id and verifies your right to entry at the given doorway.

  So from here my questions developed.  First I wondered about why it
is that "modern' buildings seem to be moving more to swipe cards than
keys (ACLs than capabilities).  There do seem to be some advantages
to the former:

    - it is easy to delete access without retrieving the card.
    - it is easier to control/limit access: once someone is inside
        using a card, no one else can use the same card or a
        copy to get in.
    - one need possess only one physical card, but can use it 
        at multiple doorways.
    - similarly, one can use the card to attempt access to doorways
        that were unknown or didn't exist at the time the card was
        obtained.

These are obviously advantages of swipe cards over keys.  My question
is "do they extend to ACLs over capabilities?"  You discussed the first
of these (deletion) in your essay.  What about the second?  Capabilities 
seem stateless and so it is not clear to me how to do entry-count type 
access control.

  My next question relates to how capabilities are granted in the first
place.  When I obtain a capability against an object o,
does the owner of o not apply an access list type mechanism to determine
if the capability should be granted?  Back to the key example: utimately
the building owner would apply a ACL type mechanism to determine
whether to give me a building key.

  I'm beginning to conclude that ACLs and capabilities are inseparable.
There is a certain intermix ratio of how often ACLs are checked (to 
obtain capabilities) and how often capabilities are used.

  Because of your essay and your research, I suspect you have a different
opinion of all this and that is why I am writing. In particular, I'm especially
interested in any references describing how a "pure capability" system
grants capabilities without ACLs, and on your remark
that it is impossible to build a capability-based system on top of an ACL
system.

Thanks for any comments or pointers.

-Greg

[prev in list] [next in list] [prev in thread] [next in thread]