> Capabilities can simply hold a provenance that can be used to verify the source of the access. ...

naasking • yesterday at 3:02 PM • 1 reply • view on HN

> Capabilities can simply hold a provenance that can be used to verify the source of the access. If that access is then revoked from that source, the capability doesn't need to change at all

This is basically using access control lists to mimic a capability system [1]. The capability folks did something similar in "Polaris", their layer atop Windows XP that enforced principle of least authority by default. If only MS had taken that and run with it.

[1] A Distributed Capability Computing System (DCCS), http://www.webstart.com/jed/papers/DCCS/

[2] Polaris: Virus-Safe Computing For Windows XP, https://cacm.acm.org/research/polaris-2/

Replies

btilly • yesterday at 3:39 PM

How equivalent this is to ACLs depends on what "provenance" means here.

One of the strategies with capabilities is that I do not hand you the capability that I own to X. Instead, I create a proxy Y that can make requests of X, and then hand you the capability to make requests of Y.

If I later stop Y, you lose access.

This can be viewed as a kind of provenance. The history of how the access came to be is reflected in the actual capability. The downside, obviously, is that we've added overhead. But this strategy can allow us to do a number of interesting things. Like split an existing capability into multiple finer grained ones.

➕ show 1 reply

alt Hacker News

Replies