Talk:Capability
From Erights
Line 34: | Line 34: | ||
Here is a [http://altair.fiit.stuba.sk/mediawiki/index.php/SandboxedPing non-trivial example]. You can try to explain me how it would be possible for an untrusted sandboxed subsystem to forge or guess arbitrary capabilities? | Here is a [http://altair.fiit.stuba.sk/mediawiki/index.php/SandboxedPing non-trivial example]. You can try to explain me how it would be possible for an untrusted sandboxed subsystem to forge or guess arbitrary capabilities? | ||
- | Similar examples can be also | + | Similar examples can be also shown in any object-capability programming language one chooses to use. I may try to show some code in E with a similar point. I am not qualified to show any examples showing a similar point in capability-based operating systems but I think on cap-talk there are such people. |
[[User:Kosik|Kosik]] 13:16, 10 July 2009 (CDT) | [[User:Kosik|Kosik]] 13:16, 10 July 2009 (CDT) |
Revision as of 18:17, 10 July 2009
The article can be further improved by given more examples of capabilities from CapROS, EROS and Coyotos systems. What objects can those capabilities designate? Which operations do those capabilities permit their holder to perform with designated objects? Kosik 05:17, 10 July 2009 (CDT)
It seems the article describes an object-capability as though it is the only sort. I understand it is the type of capability used in E and such, but other sorts are used for security.
- Password Capabilities (SPKI, Certificates) do not need to designate objects
- Object Capabilities
Further, capability doesn't imply unforgeable unless you're talking about secure capabilities, and capability-based security.
You are right. Some capabilities are indeed unforgeable and some are merly hardly guessable. Cannot these two different terms:
- unforgeable
- hardly unguessable
be contracted to some single adjective? Using the term "unforgeable or hardly unguessable" is awkward. Kosik 10:59, 10 July 2009 (CDT)
I'm afraid you didn't grok. I mean to say that capabilities may be very forgeable and guessable. They simply aren't secure capabilities, or suitable for capability-based security. And the page still has a heavily object-capability bias.
Concerning object-capability bias, see my suggestion at the top of the page. More example are needed and can be added. I am just not qualified to give them.
It is possible to demonstrate that if you say "capabilities are very forgeable and guessable" you are wrong.
Kosik 11:51, 10 July 2009 (CDT)
Please demonstrate, then. Demonstrate that "Capability" implies "Secure capability" in global vernacular and I'll be happy to recant. But I suspect you're not qualified to do that, either.
Here is a non-trivial example. You can try to explain me how it would be possible for an untrusted sandboxed subsystem to forge or guess arbitrary capabilities?
Similar examples can be also shown in any object-capability programming language one chooses to use. I may try to show some code in E with a similar point. I am not qualified to show any examples showing a similar point in capability-based operating systems but I think on cap-talk there are such people.
Kosik 13:16, 10 July 2009 (CDT)