Machines

The third line we can draw is between machines. Capabilities are then manifested
as network objects. One simple way to do this is to have each capability
correspond to a URL whose path is a large random number13 – this gives the
required unforgeability property, so long as the URL is kept secret. Waterken[8]
is an example of this, as is the E programming language, in which local objects
can actually be references to objects on remote systems.
If keeping the URL secret is not possible (or desirable), then combining
presentation of the URL with authentication would restore unforgeability14.
HP’s eSpeak[2] system, which combined capabilities with public keys – in order
to exercise a capability you had to prove both possession of the corresponding
private key and of the capability itself – is an example of this kind of system.
This mechanism is also often seen used in an ad-hoc way – for example,
the confirmation mails that Mailman[3] (and other list managers) sends are
effectively capabilities. Likewise, a common way to prevent cross-site request
forgery15 is to include a field in the form with a random number in it that the
server can check. When an attacker attempts to forge the form submission this
number will be missing or incorrect and so the attempt will fail. This number
is a capability.