Authority: ability for a subject to access a resource

ACL requires the resource to know you and grant access

Caps are tokens where posession grants access

Confinement

The confinement property: when a permission is given to an actor they cannot reissue the permission to another actor (without in turn having permission to do so.)

Cap systems can implement confinement by not allowing a trusted actor to communicate with an untrusted one.

NB could also think of using a session ID or host data to deal with keys being leaked?

Revocability

Capabilities cannot be revoked once signed and issued

Issue can be worked around by using a double facet system: a proxy and revocation facet. Alice signs proxy cap to Bob and keeps revoke cap. Bob sends messages to proxy which acts with permission delegated from Alice, but Alice can invoke revoke cap to kill the proxy.

Boebert

Agents read their clearance down, write their clearance and up. Data has a classified level.

History

Lampson's Matrix is a device to show which user has what permission on what things.

"ACLs are the rows, Caps are the columns" but not really

Matrix is seen as the permission system even though it doesn't explain how to determine those permissions.