Capability

From Erights

(Difference between revisions)
Jump to: navigation, search
m (Instead of general "password capabilities" (for non-members of our community this is a void term) we now refer to some concrete kind of "password capability".)
(Examples)
 
(17 intermediate revisions not shown)
Line 1: Line 1:
== Definition ==
== Definition ==
-
A ''capability'' is a token that identifies an [[subject, object, operation and permission|object]] and provides its holder with the [[subject, object, operation and permission|permission]] to operate on the object it identifies. Capabilities must either be totally unforgeable or infeasible to forge.  
+
A ''capability'' is a token that identifies an [[subject, object, operation and permission|object]] and provides its holder with the [[subject, object, operation and permission|permission]] to operate on the object it identifies. Capabilities must either be totally unforgeable or infeasible to forge by being ''sparse''.
== Examples ==
== Examples ==
Some examples of unforgeable capabilities:
Some examples of unforgeable capabilities:
-
* Designations of objects in [[E_language|E]]. Those who hold these capabilities have the permission to invoke any method supported by the designated object.
+
* Designations of objects in the [[E language]]. Those who hold these capabilities have the permission to invoke any method supported by the designated object.
* Designations of functions and procedures in [[Emily]]. Those who hold these capabilities have the permission to call designated functions or procedures.
* Designations of functions and procedures in [[Emily]]. Those who hold these capabilities have the permission to call designated functions or procedures.
-
Some examples of capabilities that are infeasible to forge:  
+
* Capabilities held by a process in [[capability operating system]]s.
-
* Designations of remote objects in E, such as <tt>captp://*orwqphzlugjwqj2wozz7tmg47ime466j@74.125.87.147:55189/oa6vn5whhapylswhzesdlqh5ppmjkcrq.</tt> Those who hold these capabilities have the permission to invoke any method supported by the designated object.
+
* POSIX file descriptors.
-
* "Invidations for viewing" Picasa web albums.
+
Some examples of sparse capabilities (sometimes called password capabilities):
 +
* Designations of remote objects in E, such as <code>captp://*orwqphzlugjwqj2wozz7tmg47ime466j@74.125.87.147:55189/oa6vn5whhapylswhzesdlqh5ppmjkcrq.</code> Those who hold these capabilities have the permission to invoke any method supported by the designated object.
 +
* Private URLs where having the URL is necessary and sufficient to use the resource. Common examples are:
 +
** "Confirm your e-mail address" links for website account registrations, mailing list subscriptions or opt-outs, e.g. <code><nowiki>http://drupal.cbreurope.sk/civicrm/mailing/optout?reset=1&jid=XX&qid=XXXXX&h=XXXXXXXXXXXXXXXX&confirm=1</nowiki></code>
 +
** Shared private documents such as in Google Docs, Google Maps, [http://picasa.google.com Picasa] albums, [http://www.doodle.com Doodle] schedulers.
 +
* Designation of file-system sub-trees in [[MinorFs]], such as  <code>/mnt/minorfs/cap/3d5d3efbf73bb711e7a47f82a44f471fcf77c70e/</code>
 +
* URL links to Bitcoin [http://blog.maschinenraum.tk/2012/07/15/bitcoin-vending-machine-exchange-euro-coins-for-bitcoin-wallets/btc-vending-machine-3 wallets].
-
== See also ==
+
An [[Unum]] can be also considered as a capability to a (replicated) object in a similar way as file descriptors of transparently replicated files by RAID are still regarded as file descriptors.
-
{{XXX|improve this section}}
+
== URLs as capabilities ==
 +
 
 +
As noted above, URLs are often used as capabilities in practice, especially when sent over e-mail. Some explicitly capability-structured systems, such as [[Tahoe-LAFS]], use capability URLs.
 +
 
 +
A hazard to using capability URLs directly in a web browser is that many browser extensions or options may transmit URLs to a third-party server. In the worst case, this may make those URLs public. However, there is some mitigation:
 +
* The fragment part of a URL reference (<code>#<em>id</em></code>) is not transmitted. If the browser supports executing JavaScript, then the capability can be placed in the fragment and transmitted only under script control, not as part of a URL.
 +
* The query string part (<code>?<em>foo</em>=<em>bar</em></code>) is often not transmitted. (Citation needed on this one!)
 +
 
 +
== See also ==
See [http://www.eros-os.org/essays/capintro.html What is a Capability, Anyway?] for a partisan explanation of what capabilities actually are.
See [http://www.eros-os.org/essays/capintro.html What is a Capability, Anyway?] for a partisan explanation of what capabilities actually are.

Latest revision as of 13:33, 16 July 2012

Contents

[hide]

Definition

A capability is a token that identifies an object and provides its holder with the permission to operate on the object it identifies. Capabilities must either be totally unforgeable or infeasible to forge by being sparse.

Examples

Some examples of unforgeable capabilities:

  • Designations of objects in the E language. Those who hold these capabilities have the permission to invoke any method supported by the designated object.
  • Designations of functions and procedures in Emily. Those who hold these capabilities have the permission to call designated functions or procedures.
  • Capabilities held by a process in capability operating systems.
  • POSIX file descriptors.

Some examples of sparse capabilities (sometimes called password capabilities):

  • Designations of remote objects in E, such as captp://*orwqphzlugjwqj2wozz7tmg47ime466j@74.125.87.147:55189/oa6vn5whhapylswhzesdlqh5ppmjkcrq. Those who hold these capabilities have the permission to invoke any method supported by the designated object.
  • Private URLs where having the URL is necessary and sufficient to use the resource. Common examples are:
    • "Confirm your e-mail address" links for website account registrations, mailing list subscriptions or opt-outs, e.g. http://drupal.cbreurope.sk/civicrm/mailing/optout?reset=1&jid=XX&qid=XXXXX&h=XXXXXXXXXXXXXXXX&confirm=1
    • Shared private documents such as in Google Docs, Google Maps, Picasa albums, Doodle schedulers.
  • Designation of file-system sub-trees in MinorFs, such as /mnt/minorfs/cap/3d5d3efbf73bb711e7a47f82a44f471fcf77c70e/
  • URL links to Bitcoin wallets.

An Unum can be also considered as a capability to a (replicated) object in a similar way as file descriptors of transparently replicated files by RAID are still regarded as file descriptors.

URLs as capabilities

As noted above, URLs are often used as capabilities in practice, especially when sent over e-mail. Some explicitly capability-structured systems, such as Tahoe-LAFS, use capability URLs.

A hazard to using capability URLs directly in a web browser is that many browser extensions or options may transmit URLs to a third-party server. In the worst case, this may make those URLs public. However, there is some mitigation:

  • The fragment part of a URL reference (#id) is not transmitted. If the browser supports executing JavaScript, then the capability can be placed in the fragment and transmitted only under script control, not as part of a URL.
  • The query string part (?foo=bar) is often not transmitted. (Citation needed on this one!)

See also

See What is a Capability, Anyway? for a partisan explanation of what capabilities actually are.

See also Overview: Capability Computation

This page is a stub; it should be expanded with more information. If doing so, check the original E web site and the mailing list archives for content which could be moved into this page.
Personal tools
more tools