[vwrap] looking for good summaries of web capabilities

[Meadhbh Hamrick <ohmeadhbh@gmail.com>]

hey peeps,

i want to stuff a reference to web capabilities in the intro, revised
foundation and auth documents, but i'm having a problem finding a
document that's "just right."

if you start searching for "capabilities" on google, you find a lot of
references to Henry Levy,s "Capability Based Computer Systems" (
available online at http://www.cs.washington.edu/homes/levy/capabook/
.) it's a good book, but is really focused on capability based
addressing systems for systems that use caps locally (not web caps.)

references on the wikipedia seem to have the same problem; they're
focused on caps for replacing ACLs locally on computer systems.

Miller, et al., published "Myths of Capabilities Demolished"
(available online at http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf ,) but
the tone of the paper is wrong for my needs. i need something that
discusses what caps are, not something that goes into detail about why
they're at least as good as ACLs.

Miller also wrote a pretty good paper called "robust composition:
towards a unified approach to access control and concurrency control"
but it's focused on explaining caps in terms of miller's E rights
language and KeyCOS operating system.

i guess what i'm looking for is a paper that briefly describes the
"confused deputy problem," the object-capability security model and
how web capabilities work (independent of operating system and
implementation language.)

if i can't find one "soon," like in the next couple of weeks, i'm
probably going to write my own, possibly adding a motivation section
describing how the confused deputy is more of a problem in "loosely
coupled" systems and maybe a bit about client side capabilities.

but before i do that, i figured i would ask if anyone knows of a
simple paper on webcaps?

-cheers, all.
-meadhbh

--
meadhbh hamrick * it's pronounced "maeve"
@OhMeadhbh * http://meadhbh.org/ * OhMeadhbh@gmail.com