Most of the high level goals of capability design have been expressed, in these pages, from a security perspective. A different perspective is that capability design lets applications: Here is a stab at these ideas as seen by the owner-operator of the machine.

Systems may have many applications, some of which will have shared, but abstracted state plus abstracted state private to some of the users. A data base system needs all of this and more. The apartment provides a place for an application and its installation logic to run in privacy. The apartment protects the application logic from all external influences until the time comes in the installation process to connect with things outside the apartment, and choose to accept and interpret signals from outside. This interpretation is by the explicit logic of the application. No less protection can guarantee that a correctly written application will run in the presence of other buggy or hostile applications on the same platform.

I use privacy in an unusual manner in this note, referring as it does to a program. A program may need privacy:

Keykos applications generally followed the factory pattern where the state of the apartment would cease to change upon presenting the sealed factory to those outside. The state of the applications apartment would thereafter be constant, baring on site debugging of the application logic by the application owner, but this then belongs to the more complex compartment pattern.

Another plan is that the application continues to live in the apartment and serve clients from there. This is necessary if the application must intermix state held in trust for its clients. Even in this case a factory might be preferred where the factory would be invoked for each such pot of state soup. The pots would then be separate and mutually discreet.

The user

From this perspective the user(s) own compartment(s) from which they utilize the software on the platform. The virus that came with the editor program will not steal files that it should not see for the user’s shell will never deliver access to such files to the editor. The user’s client, the shell, plays the above role of an application guarding the stability and privacy of the user from unnecessary exposure to hostile applications.