In the confused deputy example, where does the compiler get the capability to access the billing file? It seems that anywhere we would use setuid in Unix, capability systems need to have files with built-in capabilities.

The whole issue of how capabilities are "born" and how they look to users is hard to understand. Jonathon Shapiro, in his introduction to capabilities, suggests that capability systems should have persistence, so capabilities never need to be created, they always exist. But it is hard to see how this could work. Surely they have to be created sometime.

See my discussion of how ACLs can solve the Confused Deputy problem.

Hal Finney
March 17, 1998