Object Capabilities, ACLs & Sandboxing
Capabilities
- Public keys are capability to send you a message that you can grand by giving the key
- Capabilities can be forwarded - external system like trust needs to be used
- Capabilities needs to be revocable - single key per capability granted
Confused deputy problem
UNIX security
what we actually want for robust, reliable infrastructure is an environment and API that deals with all the above stuff one way or another, and provides explicit, deny-by-default control of everything programs are allowed to do, a la a capability system. Linux is not this, but people keep trying to turn Linux into that with tools like Docker. I think that if an API like WASI or such ever gets popular, that has these properties designed in from the start, life will become much better. Making such a system that is actually nice for humans to use interactively is still a problem, but a different problem.)