TheArchitect.co.uk - Jorgen Thelin's weblog

Capability-based Security

At the DOCsec conference last week, I met Tyler Close from Waterken Inc. who was speaking about his capability-based security system for web services and applications.

A couple of things struck me as interesting about Tyler's approach to web application design :

• The capability-based security control is something I don't think I have seen in any mainstream commercial product to date, although is a general approach which will have been covered by anyone with a Computing Science degree. There are many advantages of using capabilities rather than an approach based on Credentials + ACLs (Access Control Lists), but it requires a shift in perspective from developers to get into that mindset.
• The web-calculus defines an application interface model based purely around resources. These resources are then mapped using an Abstract Messaging Protocol to a number of different access and messaging models - including REST/HTTP, Remote Procedure Call (RPC - eg XML-RPC), Document exchange (DEM - eg Doc/Lit SOAP), and Network object model (NOM - eg CORBA)
  This supports many of my thoughts about a resource-oriented architecture style, of which REST is only one example - and interestingly enough the main Waterken demo tutorial involves accessing SQL data - which again seems to support my assertion that SQL can be viewed as a valid example of a resource-oriented architecture style.

I wish Tyler well with his commercial efforts, although I can't help thinking he has a major task ahead of him to not only evangalize a new approach to web services and application design (the web-calculus), but bring people up to speed with the security model they are not very familiar with (capabilities) and which probably seems like "magic" to many people.

Of course, there are many people working on the latter too, and erights.org (the home of the E secure P2P scripting language and Elib Java library) provides some useful pointers.