Capabilities in production systems
2 views
Skip to first unread message
Alan Karp
Sep 26, 2025, 12:28:32 PM (2 days ago) Sep 26
to <friam@googlegroups.com>, cap-...@googlegroups.com
I expect that many of you have heard someone say, "If capabilities are so great, why is nobody using them."
Kenton has just told us that they are being used at Cloudflare. They are also an important part of the offerings of DigitalBazaar. Do you know of others?
Does it make sense to put up a web page (I suggest on erights.org) listing these examples and others we learn of?
--------------
Alan Karp
Kenton Varda
Sep 26, 2025, 12:57:46 PM (2 days ago) Sep 26
to fr...@googlegroups.com, cap-...@googlegroups.com
To be fair capabilities are used in Cloudflare Workers because I designed it that way. ;)
But everyone is pretty happy with the result.
Actually, though, capabilities are everywhere. Android's Binder and Chrome's Mojo (foundational parts of these respective systems) are capability systems. I'd argue capabilities are actually very common in successful systems, they just aren't always labeled as such and aren't always "pure".
-Kenton
--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z2OmEmpE0bTieON%3Df3w7hKvTEGsrV%3DS033AsKg1-sPe2Q%40mail.gmail.com.
John Kemp
Sep 26, 2025, 1:53:22 PM (2 days ago) Sep 26
to fr...@googlegroups.com, Kenton Varda, cap-...@googlegroups.com
El 09/26/25 a las 12:57, Kenton Varda escribió:
https://www.w3.org/2001/tag/2010/06/01-cross-domain.html related to UMP
vs CORS, I was an enthusiastic designer of capability systems while at
Nokia, but I avoided direct use of the term "object capability."
At that time, Google Doc and Dropbox sharing links, Second Life use of
capability URLs and quite a few others, along with Google's Caja project
were all using ocaps in deployed systems around that time.
Jeni Tennison later wrote a nice document about best practices for
capability URLs: https://www.w3.org/2001/tag/doc/capability-urls/ and
https://w3ctag.github.io/presentations/reveal/capability-urls.html
Worth noting that Jonathan Rees and Dan Connolly were also on the TAG at
this time.
- johnk
--
Independent Security Architect
t: +1.413.645.4169
e: stable.p...@gmail.com
https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj
> Actually, though, capabilities are everywhere. Android's Binder and
> Chrome's Mojo (foundational parts of these respective systems) are
> capability systems. I'd argue capabilities are actually very common in
> successful systems, they just aren't always labeled as such and aren't
> always "pure".
Back in the days when I wrote this in the W3C TAG:
> Chrome's Mojo (foundational parts of these respective systems) are
> capability systems. I'd argue capabilities are actually very common in
> successful systems, they just aren't always labeled as such and aren't
> always "pure".
https://www.w3.org/2001/tag/2010/06/01-cross-domain.html related to UMP
vs CORS, I was an enthusiastic designer of capability systems while at
Nokia, but I avoided direct use of the term "object capability."
At that time, Google Doc and Dropbox sharing links, Second Life use of
capability URLs and quite a few others, along with Google's Caja project
were all using ocaps in deployed systems around that time.
Jeni Tennison later wrote a nice document about best practices for
capability URLs: https://www.w3.org/2001/tag/doc/capability-urls/ and
https://w3ctag.github.io/presentations/reveal/capability-urls.html
Worth noting that Jonathan Rees and Dan Connolly were also on the TAG at
this time.
- johnk
--
Independent Security Architect
t: +1.413.645.4169
e: stable.p...@gmail.com
https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj
Kenton Varda
Sep 26, 2025, 2:36:33 PM (2 days ago) Sep 26
to John Kemp, fr...@googlegroups.com, cap-...@googlegroups.com
I don't use the term "object capability" all that often mostly because I try to use words that the audience knows, and not enough people know it.
But I did make a point of saying that Cap'n Web implements an object-capability model in my blog post on Monday, and then immediately followed it with a list of tangible benefits (not just about security, but expressivity). As far as I can tell, it worked well: people understand this means "this is different from normal RPC systems" and then they see the benefits, and everyone seems universally excited. Well, except one or two trolls on Hacker News who brought up CORBA.
-Kenton
Mark S. Miller
Sep 26, 2025, 6:21:06 PM (2 days ago) Sep 26
to fr...@googlegroups.com, John Kemp, cap-...@googlegroups.com
On Fri, Sep 26, 2025 at 11:36 AM Kenton Varda <temp...@gmail.com> wrote:
I don't use the term "object capability" all that often mostly because I try to use words that the audience knows, and not enough people know it.But I did make a point of saying that Cap'n Web implements an object-capability model in my blog post on Monday, and then immediately followed it with a list of tangible benefits (not just about security, but expressivity). As far as I can tell, it worked well: people understand this means "this is different from normal RPC systems" and then they see the benefits, and everyone seems universally excited. Well, except one or two trolls on Hacker News who brought up CORBA.
Sometimes I like to say that distributed object systems are only possible again because most of the people who remember CORBA have retired ;)
--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CAJaLmO4BWz8AAVLCLq-Ljwq5i26_AiFg%3D6ZKkK2xM_hH2QVskw%40mail.gmail.com.
Ben Laurie
Sep 27, 2025, 3:27:24 AM (yesterday) Sep 27
to cap-...@googlegroups.com, fr...@googlegroups.com, Kenton Varda
On Fri, 26 Sept 2025 at 18:53, John Kemp <stable.p...@gmail.com> wrote:
El 09/26/25 a las 12:57, Kenton Varda escribió:
> Actually, though, capabilities are everywhere. Android's Binder and
> Chrome's Mojo (foundational parts of these respective systems) are
> capability systems. I'd argue capabilities are actually very common in
> successful systems, they just aren't always labeled as such and aren't
> always "pure".
Back in the days when I wrote this in the W3C TAG:
https://www.w3.org/2001/tag/2010/06/01-cross-domain.html related to UMP
vs CORS, I was an enthusiastic designer of capability systems while at
Nokia, but I avoided direct use of the term "object capability."
At that time, Google Doc and Dropbox sharing links, Second Life use of
capability URLs and quite a few others, along with Google's Caja project
were all using ocaps in deployed systems around that time.
I was told Second Life uses capabilities very heavily internally, too.
Jeni Tennison later wrote a nice document about best practices for
capability URLs: https://www.w3.org/2001/tag/doc/capability-urls/ and
https://w3ctag.github.io/presentations/reveal/capability-urls.html
Worth noting that Jonathan Rees and Dan Connolly were also on the TAG at
this time.
- johnk
--
Independent Security Architect
t: +1.413.645.4169
e: stable.p...@gmail.com
https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/cap-talk/57a35174-efc3-4a6e-b522-4dfa6f1f9c7a%40gmail.com.
Pierre Thierry
Sep 27, 2025, 9:41:41 AM (yesterday) Sep 27
to fr...@googlegroups.com
Le 26/09/2025 à 18:28, Alan Karp a
écrit :
I expect that many of you have heard someone say, "If capabilities are so great, why is nobody using them."
Kenton has just told us that they are being used at Cloudflare. They are also an important part of the offerings of DigitalBazaar. Do you know of others?
In my previous company, AUTOGRIFF, we had an external REST API that was capability-based and explicitly so, but the CEO managed to get rid of his entire dev team and replaced us by a team of junior node.js devs with the intent to replace everything we did, in part because one investor told him using Haskell had been a fundamentally bad decision.
We had two major partners that developed clients for that API and I don't know if they'll keep it in place or decide to redesign that too.
Pierre Thierry--
pie...@nothos.net 0xD9D50D8A
Reply all
Reply to author
Forward
0 new messages