On Thu, Jun 18, 2026 at 1:41 PM Alan Karp <
alan...@gmail.com> wrote:
>
> On Thu, Jun 18, 2026 at 12:02 PM Matt Rice <
rat...@gmail.com> wrote:
>>
>>
>> In the original problem we had a designation which referred to
>> something like a filesystem path, or an OS level designation,
>> that produces a file descriptor. With the original do not separate
>> designation from authority being a single designation which referenced
>> multiple authorities.
>> A directory "foo/" was one such designation.
>
>
> I disagree. In this case "foo" refers to a single object, the directory with
> methods such as "list contents" that don't apply to the individual elements
> inside the directory.
>
> In the systems I know, you can't access something in
> the directory with the directory file handle. You have to get a separate file
> handle for each entry you want to use. Maybe that's where my bias against
> using a compound delegation certificate in an invocation comes from.
My example here is referring to the original systems which separated
designation from
authority. Having the orignal 1:designation many:authority problem.
Not any actual capability system without confused deputy problems.
It was just my attempt at an explanation for why "do not separate
designation from authority",
turned into a confused deputy problem for these old systems, and why
by all appearances
this new system has separated designation from authority but doesn't
appear to suffer the
*exact same* set of problems.
I wasn't trying to say anything about systems which function properly.
>>
>> If we take this same definition of designation, then the designation
>> is a certificate file
>> (i'm confident saying that on both posix like systems and capability
>> OS's, a certificate capability would return some file descriptor for
>> the contents of the certificate)
>
>
> Sometimes. It's true for UCAN, which lets you point to the certificate;
> false for zcap, where you include the authorizing certificate in the
> invocation certificate.
>
>>
>> In these systems the granularity with which invocations wield
>> authority is designation.
>
> The key point is what you mean by designation. In an object-reference-
> as-capability system (ocaps), you designate via the object reference. If
> you model a certificate capability system that way, you designate it with
> a certificate granting permission to a single resource. Using a compound
> certificate with a separate way to denote which resource you're invoking
> is what I've been arguing against.
>
>> As far as I understand it Invocation in this certificate system wields
>> authority at a finer granularity than designation, which we could call
>> resource designation.
>
>
> Yes. I'm concerned that distinction might confuse developers.
Right I'm certain it'll confuse developers and users alike,
I just don't think it's going to confuse applications being invoked
via a system call.
>>
>>
>> In the old systems we had a problem of 1:designation to many:authority mapping.
>> Here we have a problem of 1-designation to many:resource-designation mapping.
>> With a 1: resource-designation to 1: authority mapping
>
>
> Is this referring back to your directory "foo" example?
Yeah, I was trying to contrast the confused deputy suffering example
and the certificate one.
For confused deputy sufferers a directory has:
1: designation many:authority
For multi-resource certificate sufferers:
1:certificate many:resource-designation
1:resource-designation 1:authority mapping
Capability system:
1:designation 1:authority
So if invocation really requires a resource-designation, the mapping
is still 1 to 1.
I wouldn't expect there to be any problems, since it seems to have the
same 1 to 1 mapping as the capability model.
>> Since invocation takes a finer grained form of designation which still
>> has a 1:1 mapping to authority we don't get the original problems.
>
>
> And that's my conundrum. I want to argue for single resource certificates only in
> invocations, but I can't make a compelling argument. All I have is that it better
> corresponds to the ocap model, which doesn't convince even me.
I just don't think you'll find it if you limit yourself to invocations.
I would expect to find problems in grant problems which you don't care
about, but let my skepticism be noted for the record.