Capability-creating-authorization

These provided a user program with the ability to create private capabilities, with a type different from the system provided types and from other private types. Each capability-creating-authorization capability specified a type which newly created capabilities would contain. The following three actions provided the facility:

i)

create a new capability-creating-authorization. produces a capability for a capability-creating-authorization, with a specified type never before seen.

ii)

create a new capability. requires two parameters:

a)

a capability-creating-authori-zation

b)

a 60 bit datum

produces a capability with all option bits on, with type as specified in the capability-creating-authorization, and with the 60 bit datum as value.

iii)

read a capability. produces two words of data, containing the type, option bits and numerical value of the value part.

Using these facilities, a ``user'' written subsystem could construct unforgeable pointers of its own. So long as it never permitted unfriendly programs access to its capability-creating-authorization, it would know that only friendly programs created capabilities of its own type. Thus, the value of such a capability could be trusted. This value might, for example, have been the disk address of a header for a disk file. Furthermore, programs which used such a subsystem would have available the protection facility of the basic system. For example, these programs could store disk file capabilities in C-lists, and pass disk file capabilities with reduced option bits to untrusted subsystems.