6 files changed, 162 insertions, 14 deletions
diff --git a/capability.mdwn b/capability.mdwn
index d78810d5..ddadf137 100644
--- a/capability.mdwn
+++ b/capability.mdwn
@@ -1,4 +1,4 @@
-[[!meta copyright="Copyright © 2007, 2008, 2010 Free Software Foundation,
+[[!meta copyright="Copyright © 2007, 2008, 2010, 2011 Free Software Foundation,
 Inc."]]
 
 [[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable
@@ -28,6 +28,110 @@ sent a string to identify the file to B, the identifier lacks a
 than A intended.  Be ensuring that [[designation]] and [[authorization]] are
 always bound together, these problems are avoided.
 
+Capability-based system architectures strive to meet the *principle of least
+privilege* ({{$wikipedia_polp}}).
+
+[[!tag open_issue_documentation]] <!--
+Revoking capabilities: destroy Mach port, invalidates *all* send rights.  See
+shapiro_capintro_1999.  To be more fine-grained, need separate instances, for
+example, valet key vs. door key.  Proxy objects (that can be destroyed
+individually); attenuation design pattern, membranes
+(wikipedia_object-capability_model)?
+-->
+
+A capability mechanism is typically implemented in software my the operating
+system kernel (typically a [[microkernel]].  The computing cost (as compared to
+a hardware implementation) is neglectable.
+
+
+[[!tag open_issue_documentation]] <!--
+References.  shapiro_capintro_1999 has a bit.
+-->
+
+
+[[!tag open_issue_documentation]] <!--
+# Advantages
+
+  * increased security; POLP
+
+  * easy exchanging of functionality
+
+  * support modular design and encapsulation
+
+  * easy collaboration (in theory; need real example)
+
+-->
+
+
+# UNIX
+
 [[UNIX file descriptors|unix/file_descriptor]] can be viewed as capabilities.
 They do not survive reboot, that is, they are not [[persistent|persistency]].
 To work around this, [[ACL]]s are used to recover authority.
+
+
+# GNU/Hurd
+
+In the GNU/Hurd system, a capability is represented by a [[Mach
+port|microkernel/mach/port]].  As in UNIX (see above), they are not
+[[persistent|persistency]].
+
+
+# Further Reading
+
+  * [[Mach port|microkernel/mach/port]]
+
+[[!toggleable id=shapiro_capintro_1999 text="""[[!template id=note
+text="*[[shapiro\_capintro\_1999|capability]]*:
+{{$capability#shapiro_capintro_1999}}.
+{{$capability#shapiro_capintro_1999_text}}."]]"""]]
+
+  * [[!toggle id=shapiro_capintro_1999 text="[shapiro\_capintro\_1999]"]]
+
+  * {{$wikipedia_capability-based_security}}
+
+  * {{$wikipedia_object-capability_model}}
+
+  * {{$wikipedia_polp}}
+
+
+[[!tag open_issue_documentation]] <!--
+<http://www.eros-os.org/essays/wherefrom.html>,
+<http://www.eros-os.org/essays/ACLSvCaps.html>,
+<http://www.cap-lore.com/CapTheory/index.html>,
+<http://www.cap-lore.com/CapTheory/tddCap.html>
+<http://www.skyhunter.com/marcs/capabilityIntro/>
+-->
+
+
+[[!ymlfront data="""
+
+shapiro_capintro_1999:
+
+  "[What *is* a Capability,
+  Anyway?](http://www.eros-os.org/essays/capintro.html), Jonathan Shapiro,
+  1999"
+
+shapiro_capintro_1999_text:
+
+  "This is an easily readable introduction with good examples.  In the author's
+  own words, the text *provides a layman's introduction to capabilities,
+  describing what they are, what they do, and why they result in better
+  security than today's computer systems*"
+
+wikipedia_capability-based_security:
+
+  "[[!wikipedia Capability-based_security desc=\"Wikipedia, capability-based
+  security\"]]"
+
+wikipedia_object-capability_model:
+
+  "[[!wikipedia Object-capability_model desc=\"Wikipedia, object-capability
+  model\"]]"
+
+wikipedia_polp:
+
+  "[[!wikipedia Principle_of_least_privilege desc=\"Wikipedia, principle of
+  least privilege\"]]"
+
+"""]]
diff --git a/microkernel/eros.mdwn b/microkernel/eros.mdwn
new file mode 100644
index 00000000..be1ca90a
--- /dev/null
+++ b/microkernel/eros.mdwn
@@ -0,0 +1,15 @@
+[[!meta copyright="Copyright © 2011 Free Software Foundation, Inc."]]
+
+[[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable
+id="license" text="Permission is granted to copy, distribute and/or modify this
+document under the terms of the GNU Free Documentation License, Version 1.2 or
+any later version published by the Free Software Foundation; with no Invariant
+Sections, no Front-Cover Texts, and no Back-Cover Texts.  A copy of the license
+is included in the section entitled [[GNU Free Documentation
+License|/fdl]]."]]"""]]
+
+[[!tag open_issue_documentation]]
+
+<http://www.eros-os.org/>
+
+TODO.  <http://www.eros-os.org/essays/reliability/paper.html>
diff --git a/microkernel/mach/port.mdwn b/microkernel/mach/port.mdwn
index 7f02628d..26b55456 100644
--- a/microkernel/mach/port.mdwn
+++ b/microkernel/mach/port.mdwn
@@ -1,4 +1,4 @@
-[[!meta copyright="Copyright © 2002, 2003, 2007, 2008, 2010 Free Software
+[[!meta copyright="Copyright © 2002, 2003, 2007, 2008, 2010, 2011 Free Software
 Foundation, Inc."]]
 
 [[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable
@@ -10,8 +10,8 @@ is included in the section entitled [[GNU Free Documentation
 License|/fdl]]."]]"""]]
 
 [[Mach]] *port*s are [[capabilities|capability]], and are also essentially
-similar to [[UNIX]] pipes.  They are communication channels, implemented by
-kernel queues.
+similar to [[UNIX]] pipes.  They are unforgeable communication channels,
+implemented by kernel queues.
 
 Each port has associated with it one *receive right* and one or more *send
 right*s and *send-once right*s.  That is, there is one receiver and one or more
@@ -39,7 +39,7 @@ like [[UNIX file descriptors|unix/file_descriptor]].  Only these local names
 can be used by [[thread]]s for invoking operations on ports, threads do not
 deal with port rights directly.
 
-For that, each task has associated with it a *port address_space*, or *port
+For that, each task has associated with it a *port address space*, or *port
 name space*.  All ports are addressed via this table.  Each task thus has its
 own private [[naming_context]] for port rights.
 
@@ -58,20 +58,24 @@ The delivery of [[message]]s is reliable and strictly ordered.  When a
 intermediate messages that are sent by other threads.
 
 Ports are objects that are implemented by the [[kernel]], and they are
-kernel-protected resources.  There is no way for a [[task]] to do anything with
-a port unless it have corresponding port right.
+kernel-protected resources: they are unforgeable, and there is no way for a
+[[task]] to do anything with a port unless it have corresponding port right.
 
 Due to this, ports are globally unique.  This makes them ideal for constituting
-system-wide *object references*.  For example, the [[RPC]] system as used by
-the GNU Hurd works by invoking *methods* on such object references.  The
-available methods are defined in [[hurd/interface]] files, and are processes by
-the [[MIG]] tool.
+system-wide *object references*.  (Fruther reading:
+{{$capability#wikipedia_object-capability_model}}.)  For example, the [[RPC]]
+system as used by the GNU Hurd works by invoking *methods* on such object
+references.  The available methods are defined in [[hurd/interface]] files, and
+are processes by the [[MIG]] tool.
 
 Invoking an operation on a port does not transfer the current execution control
 to the receiver, but instead is an asynchronous operation.  For this, and
 especially in a [[RPC]] system, the sender may include a *reply port* using a
 send-once right, and synchronize (block) on that one.
 
+
+# Port Set
+
 A [[thread]] can only block receiving on a single port.  To work around this,
 the concept of a *port set* was introduced.  A receive right can be added to
 (at most) one port set.  These port sets look like port receive rights, but
diff --git a/open_issues/multithreading.mdwn b/open_issues/multithreading.mdwn
index 4309494d..1fc2c318 100644
--- a/open_issues/multithreading.mdwn
+++ b/open_issues/multithreading.mdwn
@@ -47,7 +47,8 @@ Tom Van Cutsem, 2009.
 
   * [[Erlang-style_parallelism]]
 
-      * [[!wikipedia Actor_model]]
+      * [[!wikipedia Actor_model]]; also see overlap with
+        {{$capability#wikipedia_object-capability_model}}.
 
   * [libtcr - Threaded Coroutine Library](http://oss.linbit.com/libtcr/)
 
diff --git a/persistency.mdwn b/persistency.mdwn
index 36f90c8a..d45ebacc 100644
--- a/persistency.mdwn
+++ b/persistency.mdwn
@@ -1,4 +1,4 @@
-[[!meta copyright="Copyright © 2007, 2008, 2010 Free Software Foundation,
+[[!meta copyright="Copyright © 2007, 2008, 2010, 2011 Free Software Foundation,
 Inc."]]
 
 [[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable
@@ -17,3 +17,26 @@ processes and [[capabilities|capability]] also survive reboot.  To a
 process, it generally only looks as if it had not been
 scheduled for a long time; the rest of its environment
 remains essentially the indistinguishable.
+
+
+# GNU/Hurd
+
+The GNU/Hurd is not a persistent system: there are no persistent
+[[capabilities|capability]].  All data that is stored in files in the file
+system, is serialized.
+
+
+# Further Reading
+
+[[!toggleable id=shapiro_capintro_1999 text="""[[!template id=note
+text="*[[shapiro\_capintro\_1999|capability]]*:
+{{$capability#shapiro_capintro_1999}}.
+{{$capability#shapiro_capintro_1999_text}}."]]"""]]
+
+  * Section *Writing Things Down* in [[!toggle id=shapiro_capintro_1999
+    text="[shapiro\_capintro\_1999]"]].
+
+
+[[!tag open_issue_documentation]] <!--
+<http://www.eros-os.org/essays/Persistence.html>
+-->
diff --git a/unix/file_descriptor.mdwn b/unix/file_descriptor.mdwn
index 6f8533c5..b40db67f 100644
--- a/unix/file_descriptor.mdwn
+++ b/unix/file_descriptor.mdwn
@@ -1,4 +1,4 @@
-[[!meta copyright="Copyright © 2010 Free Software Foundation, Inc."]]
+[[!meta copyright="Copyright © 2010, 2011 Free Software Foundation, Inc."]]
 
 [[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable
 id="license" text="Permission is granted to copy, distribute and/or modify this
@@ -11,6 +11,7 @@ License|/fdl]]."]]"""]]
 A *file descriptor* is a [[concept]] of [[UNIX]], and represents a
 non-[[persistent|persistency]] handle to an object (a file, for example).  With
 respect to specific aspects, it is comparable to a [[capability]].
+This is detailed in {{$capability#wikipedia_capability-based_security}}.
 
 In a GNU Hurd system, the concept of file descriptors is based on object
 handles (through [[Mach ports|microkernel/mach/port]]), and is [[implemented in