[Squeak-e] capabilities question...

Mark S. Miller markm at caplet.com
Mon May 12 13:41:30 CEST 2003 

[cross posted to squeak-e and e-lang, as my reply isn't squeak-e specific]

At 06:16 AM 5/9/2003 Friday, Michael van der Gulik wrote:
>I'm reading that rather interesting paper about capabilities (and the myths 
>thereof) on erights.org. 

Thanks!

>I'm playing around with Squeak and researching how 
>it could be distributed using replication etc. See dpon.sourceforge.net if 
>you're interested. I may switch to E, but I'm just nosing around at the 
>moment, and reading a lot.
>
>Question: it seems quite possible to implement ACL's using capabilities. 
>Would this be true?

Yes. For example, in rehosting Unix on KeyKOS 
http://www.cis.upenn.edu/~KeyKOS/NanoKernel/NanoKernel.ps.gz , Unix's 
degenerate ACL system was implemented using object-capabilities. I believe 
this also happened when rehosting CMS on KeyKOS on the IBM370. But these are 
complex examples embedded in a large context.

The Hat Racks design I propose at 
http://www.eros-os.org/pipermail/e-lang/2002-December/008107.html is built 
from object-capabilities, but is more ACL-like than object-capability-like, 
though it does leverage its object-capability underpinnings to improve on 
conventional ACL systems. For example, where ACL systems normally use human 
readable globally-scoped names, Hat Racks use first class opaque protected 
references as designators. The equivalent of a principal id is also reified 
as an opaque protected reference and explicitly wielded by the program. The 
result is much like Alan Karp's "Split Capabilities".

Hat Racks and Split Capabilities both fall in the "Capabilities as Keys" 
paradigm explained in the myths paper you're reading, with the proviso that 
both keys (as principal ids) and doors (as resource designators) are treated 
as opaque protected references. (The capabilities-as-keys paradigm as 
explained in the myths paper assumes only keys are protected.)

I am coming to believe that even in a non-legacy-burdened world of pure 
object-capabilities, there may still be a need to build some such 
capabilities-as-keys-like system from object-capabilities. (Even KeyKOS took 
a step in this direction when it introduced the CanOpener.)


>Say for example that you have a secure object called 'Secret'. Other objects 
>access 'Secret' through proxy objects. These proxy objects simply pass all 
>messages through to Secret, and can be turned on and off, to allow and 
>disallow (revoke) access to Secret.

So far, this sounds like revocable forwarders, and is a normal 
object-capability pattern.


>Now, assuming that some management system was built around this schema, each 
>proxy object is quite like an item in an Access Control List.
>
>If an authentication mechanism was also provided for subjects, which was 
>enforced by the proxies, then would there be any difference between this and 
>another implementation of an ACL system?

It all depends on the specifics of your "authentication mechanism was also 
provided for subjects, which was enforced by the proxies". Depending on the 
design, the result may or may not either be good or be ACL-like; and these 
two goals may or may not correlate as you expect.


----------------------------------------
Text by me above is hereby placed in the public domain

        Cheers,
        --MarkM

More information about the Squeak-e mailing list