Dean Landolt

The mental model I had of a capability before was pretty much limited to the wikipedia article and some chance encounters with some of the ideas in the past. It took quite a bit of reading, but I think I finally have more of an understanding of what having a capability could actually represent and what some of the design patterns to use and reuse them look like.

For some reason I was stuck on the notion of reassignment — once you give a capability to someone they can just turn around and hand it to someone else. This isn’t a particularly big deal — and has a corollary in the real world with keys (I give my friend my house key — he can make copies of it and turn around and give it to those whom he trusts with it). But trust isn’t always transitive, and short of biometrics or behavioral analysis, most of our authorization mechanisms are.

But there is a feature of capabilities that never occurred to me: wrapping. In a more robust capability-based system, when you receive a capability your choices aren’t to keep it to yourself or give away all rights assigned to you. You can wrap the capability in question in a capability of your own and pass that along. This allows some very exciting use cases.

You can also gain other levers of control over the capabilities you hand out. Really interesting permissions use cases can be built out of low-level capability primitives, like the proxy wrapping discussed above (you can log, monitor usage, attenuate rights — even revoke or demote a capability you granted independent of the capability granted to you), or leasing (slapping an expiration date on a capability), or requiring signing at usage (making trust non-transitive). But because capabilities reside at the application level, you can even roll your own requirements for a given capability.

I tend to think in terms of user interfaces, and I still can’t quite envision one to manage all of these powerful abilities. I strongly believe that without a good UI — one that reveals the full implications of rights assignments — capabilities are subject to the same human frailties as ACLs.

This entry was posted Saturday, May 10th, 2008 at 9:48 am and is filed under Data Portability. You can leave a response, or trackback from your own site.