In the purest form of capabilities, all that is required to exercise a capability
is its possession. This means that, in general, it is entirely possible for the
possessor of a capability to delegate it by handing a copy to someone else.
This gives rise to the capability community’s fondness for the Granovetter
diagram, which shows a capability for some action being handed from one party
to another down an existing capability9 (remember that in a capability system
two entities can only communicate if they have a capability allowing them to
do so).
However, it is sometimes desirable to authenticate the wielder of the capability,
rather than relying on mere possession. There are two reasons you might
want to do this
• To restrict delegation of capabilities.
• To avoid having to keep capabilities secret, where secrecy is a necessary
prerequisite to unforgeability.
Note, however, that it is almost universally impossible to prevent delegation
if the possessor of a capability is determined to delegate. So long as they have
any kind of communication channel with the delegee, they can, at the least,
exercise the capability by proxy on behalf of the delegee. And, of course, it
turns out to be very hard indeed to eliminate communications channels between
entities, because of covert channels.
No comments:
Post a Comment