Capabilities in production systems

[Alan Karp]

I expect that many of you have heard someone say, "If capabilities are so great, why is nobody using them."

Kenton has just told us that they are being used at Cloudflare.  They are also an important part of the offerings of DigitalBazaar.  Do you know of others?

Does it make sense to put up a web page (I suggest on erights.org) listing these examples and others we learn of?

--------------
Alan Karp

[Kenton Varda]

To be fair capabilities are used in Cloudflare Workers because I designed it that way. ;)

But everyone is pretty happy with the result.

Actually, though, capabilities are everywhere. Android's Binder and Chrome's Mojo (foundational parts of these respective systems) are capability systems. I'd argue capabilities are actually very common in successful systems, they just aren't always labeled as such and aren't always "pure".

-Kenton

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z2OmEmpE0bTieON%3Df3w7hKvTEGsrV%3DS033AsKg1-sPe2Q%40mail.gmail.com.

[John Kemp]

El 09/26/25 a las 12:57, Kenton Varda escribió:

> Actually, though, capabilities are everywhere. Android's Binder and
> Chrome's Mojo (foundational parts of these respective systems) are
> capability systems. I'd argue capabilities are actually very common in
> successful systems, they just aren't always labeled as such and aren't
> always "pure".

Back in the days when I wrote this in the W3C TAG:
https://www.w3.org/2001/tag/2010/06/01-cross-domain.html related to UMP
vs CORS, I was an enthusiastic designer of capability systems while at
Nokia, but I avoided direct use of the term "object capability."

At that time, Google Doc and Dropbox sharing links, Second Life use of
capability URLs and quite a few others, along with Google's Caja project
were all using ocaps in deployed systems around that time.

Jeni Tennison later wrote a nice document about best practices for
capability URLs: https://www.w3.org/2001/tag/doc/capability-urls/ and
https://w3ctag.github.io/presentations/reveal/capability-urls.html

Worth noting that Jonathan Rees and Dan Connolly were also on the TAG at
this time.

- johnk
--
Independent Security Architect
t: +1.413.645.4169
e: stable.p...@gmail.com

https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj

[Kenton Varda]

I don't use the term "object capability" all that often mostly because I try to use words that the audience knows, and not enough people know it.

But I did make a point of saying that Cap'n Web implements an object-capability model in my blog post on Monday, and then immediately followed it with a list of tangible benefits (not just about security, but expressivity). As far as I can tell, it worked well: people understand this means "this is different from normal RPC systems" and then they see the benefits, and everyone seems universally excited. Well, except one or two trolls on Hacker News who brought up CORBA.

-Kenton

[Mark S. Miller]

On Fri, Sep 26, 2025 at 11:36 AM Kenton Varda <temp...@gmail.com> wrote:

I don't use the term "object capability" all that often mostly because I try to use words that the audience knows, and not enough people know it.

But I did make a point of saying that Cap'n Web implements an object-capability model in my blog post on Monday, and then immediately followed it with a list of tangible benefits (not just about security, but expressivity). As far as I can tell, it worked well: people understand this means "this is different from normal RPC systems" and then they see the benefits, and everyone seems universally excited. Well, except one or two trolls on Hacker News who brought up CORBA.

Sometimes I like to say that distributed object systems are only possible again because most of the people who remember CORBA have retired ;)

 

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/friam/CAJaLmO4BWz8AAVLCLq-Ljwq5i26_AiFg%3D6ZKkK2xM_hH2QVskw%40mail.gmail.com.

[Ben Laurie]

On Fri, 26 Sept 2025 at 18:53, John Kemp <stable.p...@gmail.com> wrote:

El 09/26/25 a las 12:57, Kenton Varda escribió:
> Actually, though, capabilities are everywhere. Android's Binder and
> Chrome's Mojo (foundational parts of these respective systems) are
> capability systems. I'd argue capabilities are actually very common in
> successful systems, they just aren't always labeled as such and aren't
> always "pure".

Back in the days when I wrote this in the W3C TAG:
https://www.w3.org/2001/tag/2010/06/01-cross-domain.html related to UMP
vs CORS, I was an enthusiastic designer of capability systems while at
Nokia, but I avoided direct use of the term "object capability."

At that time, Google Doc and Dropbox sharing links, Second Life use of
capability URLs and quite a few others, along with Google's Caja project
were all using ocaps in deployed systems around that time.

I was told Second Life uses capabilities very heavily internally, too. 

Jeni Tennison later wrote a nice document about best practices for
capability URLs: https://www.w3.org/2001/tag/doc/capability-urls/ and
https://w3ctag.github.io/presentations/reveal/capability-urls.html

Worth noting that Jonathan Rees and Dan Connolly were also on the TAG at
this time.

- johnk
--
Independent Security Architect
t: +1.413.645.4169
e: stable.p...@gmail.com

https://www.linkedin.com/in/johnk-am9obmsk/
https://github.com/frumioj

--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/cap-talk/57a35174-efc3-4a6e-b522-4dfa6f1f9c7a%40gmail.com.

[Pierre Thierry]

Le 26/09/2025 à 18:28, Alan Karp a écrit :

I expect that many of you have heard someone say, "If capabilities are so great, why is nobody using them."

Kenton has just told us that they are being used at Cloudflare.  They are also an important part of the offerings of DigitalBazaar.  Do you know of others?

In my previous company, AUTOGRIFF, we had an external REST API that was capability-based and explicitly so, but the CEO managed to get rid of his entire dev team and replaced us by a team of junior node.js devs with the intent to replace everything we did, in part because one investor told him using Haskell had been a fundamentally bad decision.

We had two major partners that developed clients for that API and I don't know if they'll keep it in place or decide to redesign that too.

Pierre Thierry

--

pie...@nothos.net
0xD9D50D8A

[Dan Connolly]

On Fri, Sep 26, 2025 at 11:28 AM Alan Karp <alan...@gmail.com> wrote:

I expect that many of you have heard someone say, "If capabilities are so great, why is nobody using them."

Does it make sense to put up a web page (I suggest on erights.org) listing these examples and others we learn of?

I certainly think so!

Hence: https://github.com/dckc/awesome-ocap

On Fri, Sep 26, 2025 at 11:57 AM Kenton Varda <temp...@gmail.com> wrote:

... Android's Binder and Chrome's Mojo (foundational parts of these respective systems) are capability systems.

I had a vague notion about Binder.

I don't remember Mojo at all. (except: that's what we named our dog: https://www.madmode.com/2023/walk-n-talk )

Here are some IOUs to update awesome-ocap.

https://github.com/dckc/awesome-ocap/issues/61

https://github.com/dckc/awesome-ocap/issues/62

-- 
Dan Connolly

https://www.madmode.com

[Alan Karp]

I think Dan's list makes my point.  Cloudflare is the only capability system he lists that is in production use.  Sandstorm, the company, is gone, and nobody(?) is using Tahoe-LAFS.  Gernot pointed out that Nio is using capabilities in its sel4 based OS, so that's a second example.  I've also been told that DigitalBazaar uses capabilities at scale, but I haven't been able to find a place to point people to.

--------------
Alan Karp

--

You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/friam/CAD2YivYjRqf7fuVkGr_TYjfj0X5RXSLgnH%2BiDcCp3yKTaVDQig%40mail.gmail.com.

[Mark S. Miller]

MetaMask is also huge!

To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z1Jzw3uiiG1RLGcdSXnt8baMyhfyZ7%3Dqe4ua%2BBr5r0iKw%40mail.gmail.com.

--

  Cheers,
  --MarkM

[Mark S. Miller]

Moddable

--

  Cheers,
  --MarkM

[Dean Tribble]

Google doc links set for “anyone with this link”

Sent from my phone

On Oct 14, 2025, at 3:16 PM, Mark S. Miller <eri...@gmail.com> wrote:



To view this discussion visit https://groups.google.com/d/msgid/friam/CAK5yZYh%3DHT7BZn1XZaVcsr-jp1HYJbRggQ0%3Da0sARH%2BrtPRKRA%40mail.gmail.com.

[Alan Karp]

On Wed, Oct 15, 2025 at 12:51 PM Dean Tribble <dtri...@gmail.com> wrote:

Google doc links set for “anyone with this link”

Sort of.  You can share the link but not delegate it if it's read/write.  There's no revocation except renaming the document.   

That being said, I use it as an example in one of my talks.

--------------
Alan Karp

To view this discussion visit https://groups.google.com/d/msgid/friam/84FFE8B8-B151-497E-9EDF-D0FC5BB9C76E%40gmail.com.

[Ben Laurie]

On Thu, 16 Oct 2025 at 06:35, Alan Karp <alan...@gmail.com> wrote:

On Wed, Oct 15, 2025 at 12:51 PM Dean Tribble <dtri...@gmail.com> wrote:

Google doc links set for “anyone with this link”

Sort of.  You can share the link but not delegate it if it's read/write.  There's no revocation except renaming the document.   

Neither of those things are required to fit the definition.

 

To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z3ouseGk6SaC98SVhbyZy9AEYzoYtd54%2B_7PkBej7851A%40mail.gmail.com.

[Alan Karp]

On Wed, Oct 15, 2025 at 3:36 PM 'Ben Laurie' via friam <fr...@googlegroups.com> wrote:

Google doc links set for “anyone with this link”

Sort of.  You can share the link but not delegate it if it's read/write.  There's no revocation except renaming the document.   

Neither of those things are required to fit the definition.

True, which is why I said "sort of."  It's my enterprise bias that wants to define delegation so I can properly audit who did what to whom when.

--------------
Alan Karp

[Ben Laurie]

You can delegate, of course, and revoke, by wrapping it in another weblink.

 

--------------
Alan Karp

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/friam/CANpA1Z3Xa3zLoAj9nvnaKZv7K03dX31W%2B8VETsNu%3DUx3YTeZfg%40mail.gmail.com.

[Alan Karp]

On Wed, Oct 15, 2025 at 4:32 PM 'Ben Laurie' via friam <fr...@googlegroups.com> wrote:

True, which is why I said "sort of."  It's my enterprise bias that wants to define delegation so I can properly audit who did what to whom when.

You can delegate, of course, and revoke, by wrapping it in another weblink.

 

But you have to set up a web server, right?  A more useable solution might be something like OAuth token exchange, where you can ask Google to do the wrapping for you.

--------------
Alan Karp

[William ML Leslie]

On Thu, 16 Oct 2025 at 09:32, 'Ben Laurie' via friam <fr...@googlegroups.com> wrote:

On Thu, 16 Oct 2025 at 06:49, Alan Karp <alan...@gmail.com> wrote:

On Wed, Oct 15, 2025 at 3:36 PM 'Ben Laurie' via friam <fr...@googlegroups.com> wrote:

Google doc links set for “anyone with this link”

Sort of.  You can share the link but not delegate it if it's read/write.  There's no revocation except renaming the document.   

Neither of those things are required to fit the definition.

True, which is why I said "sort of."  It's my enterprise bias that wants to define delegation so I can properly audit who did what to whom when.

You can delegate, of course, and revoke, by wrapping it in another weblink.

Google docs' "anyone with this link" is a capability system that I have a lot of gratitude for as it has saved my day more times than I recall.  It's also one most people have used at some point.

Yet, I have a hard time recommending it as an exemplary capability system due to the stark absence of Secure Interaction Design principles applied.  One example is when I shared a file in a registered irc channel before realising it contained some of my personal details.  Since there's no representation in google drive how many links you've created and shared, I just deleted the file, assuming that nobody could access it once it was gone.  However, the link continued to work.  Eventually I figured out how to delete it properly, but the missing visibility and self-awareness troubles me as a capability systems advocate.

There's a part of me that understands the shortcomings of that system as a deliberate business decision so - at least in my mind - it doesn't affect my view of any of the engineering team that worked on it.  Google really want you to be logged in.

 

--

William ML Leslie

[Pierre Thierry]

Le 26/09/2025 à 18:28, Alan Karp a écrit :

I expect that many of you have heard someone say, "If capabilities are so great, why is nobody using them."

Kenton has just told us that they are being used at Cloudflare.  They are also an important part of the offerings of DigitalBazaar.  Do you know of others?

At my previous company, we deployed a capability-based API for a couple of partners. We used swiss numbers in base64 in a X-Capability header to avoid leaking capabilities in various log files.

Sadly, the CEO threw a tantrum and alienated the whole dev team and everyone was either fired or went away, and they are in the process of replacing everything. There's one in a million chance there will be capabilities if they succeed putting the next version into production. 

I started working at Tontine Trust a few weeks ago, though, and it's one of those companies where security needs to be extremely tight (we'll handle millions of dollars) and there might be a strong use case for delegation (customers might want to delegate part of their access to some financial advisor or caretaker with auditability, and we may work with big institutions where they need to have some level of access to their customers accounts in our system). I hope we'll use capabilities within 6–12 months.

Hopefully,
Pierre
--

pie...@nothos.net
0xD9D50D8A