{"_self":{"principle":"Self-explaining payload — no external context required. This _self block describes what you are reading and where to look next.","widget":"article_topology","feature":"topology","name":"Article topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","contains":"claims, sources, anecdotes, question_graph slice","slug":"what-is-capability-security","urls":{"read":"https://miscsubjects.com/api/articles/what-is-capability-security/topology"},"how_to_use":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","write":null,"imessage":null,"router_tag":null,"proof_chain":[{"step":1,"claim":"Articles are voxel graphs of tiered claims, not prose blobs.","verify":"https://miscsubjects.com/api/articles/constitution"},{"step":2,"claim":"Claims link to hash-chained sources via source_ids.","verify":"https://miscsubjects.com/api/articles/what-is-capability-security/sources"},{"step":3,"claim":"Ask reads topology; ingest/claim append to ledger.","verify":"https://miscsubjects.com/api/protocol"},{"step":4,"claim":"Models queue growth: populate → collaborate → repair → reflex.","verify":"https://miscsubjects.com/api/protocol/grow"},{"step":5,"claim":"Graph proves its own shape (reflex) and $/claim (yield).","verify":"https://miscsubjects.com/graph.html?layer=reflex"},{"step":6,"claim":"Full feature index + _explain on every API response.","verify":"https://miscsubjects.com/api/articles/system-map"}],"related_features":[{"id":"ask","name":"Ask protocol","what":"Answer only from topology; creates question_node with gaps and ingest_hint.","urls":{"read":"https://miscsubjects.com/api/articles/what-is-capability-security/prompts","write":"https://miscsubjects.com/api/protocol/ask"}},{"id":"graph_topology","name":"Cross-article graph","what":"Merged claims/sources across condition+stack slugs for one question.","urls":{"read":"https://miscsubjects.com/api/articles/what-is-capability-security/graph-topology?question=..."}},{"id":"question_graph","name":"Question graph","what":"Ask nodes (questions + gaps) and evidence_ingest nodes (pasted model output).","urls":{"read":"https://miscsubjects.com/api/articles/what-is-capability-security/question-graph","write":"https://miscsubjects.com/api/protocol/ask"}},{"id":"voxels","name":"Voxel graph","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance.","urls":{"read":"https://miscsubjects.com/api/articles/what-is-capability-security/voxels","write":"https://miscsubjects.com/api/protocol/claim"}}],"system_map":"https://miscsubjects.com/api/articles/system-map","system_map_markdown":"https://miscsubjects.com/api/articles/system-map?format=markdown","not_medical_advice":true},"_explain":{"feature":"topology","name":"Article topology","what":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","why":"Every feature is auditable collective intelligence","how":"Claims, sources, anecdotes, user reports, related embeds, question graph slice — for ask/ROUTER.","model":null,"verifies":null,"urls":{"read":"https://miscsubjects.com/api/articles/what-is-capability-security/topology"},"imessage":null,"router":null,"related":[{"id":"ask","what":"Answer only from topology; creates question_node with gaps and ingest_hint."},{"id":"graph_topology","what":"Merged claims/sources across condition+stack slugs for one question."},{"id":"question_graph","what":"Ask nodes (questions + gaps) and evidence_ingest nodes (pasted model output)."},{"id":"voxels","what":"Claims as atoms, sources as edges (supported_by, posted_by). Per-claim provenance."}],"not_medical_advice":true},"slug":"what-is-capability-security","title":"What Is Capability-Based Security","register":"standard","tags":["oip","kimi-import","self-explaining","voxel","concepts","what-is-capability-security"],"updated_at":"2026-07-15T04:20:51.746Z","body_excerpt":"<!-- hierarchy:nav -->\n> **Path:** [OIP](https://miscsubjects.com/a/oip) › [Thinker Reference](https://miscsubjects.com/a/oip-thinker-reference) › [Protocol Concepts](https://miscsubjects.com/a/oip-protocol-concepts) › **What Is Capability-Based Security**\n>\n> **Shelf:** Protocol Concepts · **Traversal:** self-explaining · hierarchical · voxel-ready\n> **Machine root:** [OIP tree](https://miscsubjects.com/api/dispatch?map=1&format=markdown) · [Registry](https://miscsubjects.com/api/dispatch?registry=1)\n\n# What Is Capability-Based Security\n\n## §SELF — what-is-capability-security\n\n**What this page is:** A definition of capability-based security and its core principles.\n**What it explains:** How possession of a reference (capability) grants permission to use a resource, eliminating the need for separate access control mechanisms.\n**Why read it:** To understand why capability security removes entire categories of vulnerabilities that traditional permission-based systems cannot prevent.\n\n### What Capability-Based Security Is\n\nCapability-based security is an access control model where possession of an unforgeable reference (called a capability) to a resource is both necessary and sufficient to use that resource. There is no separate permission check, no access control list, and no central authority that decides who can do what. If you hold the capability, you can use the resource. If you do not hold it, you cannot.\n\nThe model was first proposed by Jack Dennis in 1966 for the Multics operating system. A capability is a token (a number, a handle, a reference) that simultaneously identifies a resource and grants authority to access it. The two functions — identification and authorization — are merged into a single object.\n\n### Why It Matters\n\nTraditional security systems separate identification from authorization. A user proves who they are (authentication), then a separate system checks whether that identity has permission to perform an action (authorization). This separation creates vulnerabilities. Programs can act with authority that was granted to them for one purpose but used for another. Attackers can escalate privileges by tricking the authorization system. Capability-based security eliminates these problems by embedding authority in the reference itself.\n\n### The Key Idea\n\nFour principles define capability-based security:\n\n1. **Possession conveys authority.** Holding a capability is the only requirement to use the resource it points to. There is no additional check, no gatekeeper, no query to a permissions database.\n2. **Capabilities are unforgeable.** You cannot guess, manufacture, or discover a capability. It must be given to you by someone who already has it, or created by the system with proper authority. Unforgeability means capabilities are typically large random numbers or cryptographic tokens that cannot be predicted.\n3. **Delegation is safe.** Passing a capability to another party is the only way to grant access. When you delegate, you do not open a back door or create a new permission entry. You simply hand over the same reference. The recipient can use it exactly as you could (unless you attenuate it first).\n4. **Attenuation is possible.** A parent capability can be used to create a child capability with narrower scope: fewer operations, shorter time limit, or a maximum number of uses. The child cannot be expanded back to the parent's scope. This allows safe delegation of partial authority.\n\n**The confused deputy problem:** A confused deputy is a program that has authority but uses it on behalf of a requester without knowing whether the requester should have that authority. Example: a compiler runs with system privileges. A user asks it to write output to a protected file. The compiler, acting as a deputy, uses its own authority to write the file. The user has escalated privilege through the confused compiler. Capability-based security solves this by requiring the requester to provide a capability for the output file","ranking":"safety-first (interaction_risk/limitations), then quote-gated effective_weight","claims":[],"sources":[],"anecdotal_sources":[],"scientific_sources":[],"user_reports":[],"related_articles":[],"question_graph":{"slug":"what-is-capability-security","questions":[],"evidence":[],"edges":[],"counts":{"questions":0,"evidence":0,"edges":0}},"honesty":{"active_claims":0,"retracted_claims":0,"cut_claims":0,"challenges":0,"scrub_events":0,"note":"Retracted/cut claims stay on ledger but are excluded from ask unless ?include_inactive=1"},"counts":{"claims":0,"claims_total":0,"sources":0,"anecdotal":0,"scientific":0,"user_reports":0,"questions":0,"evidence_ingests":0}}