Microsoft’s Internet Explorer, version 4, provides new security functions that they refer to as “capability based”. (As of October 1997 they seem to have ceased using that term! Indeed the links below are broken. Perhaps this is their current thinking. (Sept 2010)) These new useful functions do indeed give the user more control in the security precautions to protect his computer and secrets. To call them “capability based” conforms well to definitions found in English dictionaries. They do not, however, conform to the pattern of software design long known as capability based as used in computer science, nor do they convey the fundamental advantages.

I have not yet used version 4 of IE, but I have read the web page describing the new features and the white paper describing the reasons for the design. As I understand the new features the user may establish security zones in the network and associate certain capabilities to grant programs visiting his machine from said zone.

Capabilities designate specific instances of things within a computer. From the descriptions I gather that the capabilities that can be granted to visiting software are only categorical. I can’t grant read access to a particular file to a certain zone.

Another way that Microsoft’s new features are unlike capabilities is that programs in capability systems, invoke capabilities explicitly by naming them. (This naming is bundled with naming the thing they are to operate on.) This avoids confused deputy traps where a program unknowingly abuses a trust by invoking a capability at the wrong time. In the Security Zone scheme a program is invisibly endowed with certain categorical rights but is unable to discriminate which authority it uses. I must translate the scenario given in the Confused Deputy paper into a web scenario.