/ elib / capability

Formal Declaration, Statements of Consensus, February 9, 2001

On the E-Lang list, we've had a long running discussion debating the pros and cons of Capability vs ACL security architecture. Although many controversies remain, after a while Marc Stiegler noticed that many other points were no longer being argued. Through discussion and debate, had this group of argumentative experts had actually arrived at many points of agreement? After an agreed upon process, this statement captures this consensus among the participants listed below.

The Original Message

Statements Of Consensus as of February 9, 2001

Marc Stiegler marcs-at-skyhunter.com
Fri, 9 Feb 2001 16:11:01 -0700

1. We all agree that currently available ACL systems are too broken to be serious contenders for general-purpose effective security.

2. We all agree there is at least one security relationship that capabilities cannot create, even in theory. This is the one Ralph Hartley identified that Mark Miller agrees with. We also agree that this one is not of practical importance. We also agree that there may be others that might be of practical importance, though there is no agreement that others have been found.

3. We all agree that capabilities systems as embodied in EROS and E seem architecturally sound enough to be serious contenders for providing general-purpose effective security.

4. We all agree that the Principle of Least Authority (POLA) is an important element in security design, and is indeed a sensible best-practice.

5. We all agree that capabilities inherently convey "narrow" authorities, in the sense that they name only one object at a time (in contrast to user ids as basis for protection, which name multiple objects at a time).

6. We all agree that explicitly designating authority at the locus of use imposes a style of use that simultaneously tends to reduce the number of authority misuse errors and renders them easier to locate, identify, and repair. We agree that capability systems (via C-list indices) lend themselves to such explicit designation. We deduce that capability systems lend themselves to the application of POLA, though one can build non-POLA capability systems.

7. We recognize that POLA is a part of both E and EROS as actual implementations.

8. We all agree that each authority should have its own protection, according to the POLA. Compromising one protection should not yield the ability to compromise others.

Disclaimer: The participants in this discussion have a wide disparity of knowledge about different aspects of these discussions. Consequently, the necessarily more correct way of stating this consensus is that everyone agrees within the constraints of their knowledge: For any one aspect of these statements of consensus, those with a weaker knowledge of that aspect know of no fault in the statement, and are necessarily trusting those with a stronger knowledge of that aspect to have highlighted a fault if there is one. Equally of course, if new evidence or insights become available, people may have a different opinion at a later date, making this document obsolete.

Participants in this discussion, alphabetical by first name, include:

Alan Karp          alan_karp-at-hp.com
Ben Laurie         ben-at-algroup.co.uk
Bill Frantz        frantz-at-pwpconsult.com
Chip Morningstar   chip-at-communities.com
Chris Hibbert      hibbert-at-netcom.com
Dan Bornstein      danfuzz-at-milk.com
Dan Moniz          dnm-at-pobox.com
David Wagner       daw-at-mozart.cs.berkeley.edu
Hal Finney         hal-at-finney.org
Jonathan Shapiro   shap-at-cs.jhu.edu
Ka-Ping Yee        ping-at-lfw.org
Marc Stiegler      marcs-at-skyhunter.com
Mark Miller        markm-at-caplet.com
Norm Hardy         norm-at-cap-lore.com
Nikita Borisov     nikitab-at-cs.berkeley.edu
Ralph Hartley      hartley-at-aic.nrl.navy.mil
Tyler Close        tclose-at-oilspace.com