ERights Home elib / capability 
Back to: Communicating Conspirators On to: PetName Markup Language

Formal Declaration,
Statements of Consensus,

February 9, 2001

On the E-Lang list, we've had a long running discussion debating the pros and cons of Capability vs ACL security architecture. Although many controversies remain, after a while Marc Stiegler noticed that many other points were no longer being argued. Through discussion and debate, had this group of argumentative experts had actually arrived at many points of agreement? After an agreed upon process, this statement captures this consensus among the participants listed below.

The Original Message

Statements Of Consensus as of February 9, 2001

Marc Stiegler
Fri, 9 Feb 2001 16:11:01 -0700

  1. We all agree that currently available ACL systems are too broken to be serious contenders for general-purpose effective security.

  2. We all agree there is at least one security relationship that capabilities cannot create, even in theory. This is the one Ralph Hartley identified that Mark Miller agrees with. We also agree that this one is not of practical importance. We also agree that there may be others that might be of practical importance, though there is no agreement that others have been found.

  3. We all agree that capabilities systems as embodied in EROS and E seem architecturally sound enough to be serious contenders for providing general-purpose effective security.

  4. We all agree that the Principle of Least Authority (POLA) is an important element in security design, and is indeed a sensible best-practice.

  5. We all agree that capabilities inherently convey "narrow" authorities, in the sense that they name only one object at a time (in contrast to user ids as basis for protection, which name multiple objects at a time).

  6. We all agree that explicitly designating authority at the locus of use imposes a style of use that simultaneously tends to reduce the number of authority misuse errors and renders them easier to locate, identify, and repair. We agree that capability systems (via C-list indices) lend themselves to such explicit designation. We deduce that capability systems lend themselves to the application of POLA, though one can build non-POLA capability systems.

  7. We recognize that POLA is a part of both E and EROS as actual implementations.

  8. We all agree that each authority should have its own protection, according to the POLA. Compromising one protection should not yield the ability to compromise others.

Disclaimer: The participants in this discussion have a wide disparity of knowledge about different aspects of these discussions. Consequently, the necessarily more correct way of stating this consensus is that everyone agrees within the constraints of their knowledge: For any one aspect of these statements of consensus, those with a weaker knowledge of that aspect know of no fault in the statement, and are necessarily trusting those with a stronger knowledge of that aspect to have highlighted a fault if there is one. Equally of course, if new evidence or insights become available, people may have a different opinion at a later date, making this document obsolete.

Participants in this discussion, alphabetical by first name, include:

Alan Karp
Ben Laurie
Bill Frantz
Chip Morningstar
Chris Hibbert
Dan Bornstein
Dan Moniz
David Wagner
Hal Finney
Jonathan Shapiro
Ka-Ping Yee
Marc Stiegler
Mark Miller
Norm Hardy
Nikita Borisov
Ralph Hartley
Tyler Close

Unless stated otherwise, all text on this page which is either unattributed or by Mark S. Miller is hereby placed in the public domain.
ERights Home elib / capability 
Back to: Communicating Conspirators On to: PetName Markup Language
Download    FAQ    API    Mail Archive    Donate

report bug (including invalid html)

Golden Key Campaign Blue Ribbon Campaign