[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distributed Capabilities

From: Jonathan S. Shapiro
Subject: Re: Distributed Capabilities
Date: Mon, 27 Mar 2006 14:05:09 -0500

On Mon, 2006-03-27 at 14:57 +0200, Ludovic Courtès wrote:
> Hi,
> Tom Bachmann <address@hidden> writes:
> > As described in one of my mails [1] to coyotos-dev and somewhere on
> > the E language homepage [2] it is possible to implement transparent
> > "remote" capabilities, i.e. caps that are invoked like normal local
> > ones but that actually invoke servers on other machines over the
> > net.
> That is feasible, except that you lose confinement (i.e., the bit
> representation of capabilities is visible to the participants, so one
> can transfer capabilities off-line, e.g., over the phone), unless you
> consider that some ``trusted kernel'' hides that representation to
> applications on both ends.  This is what is proposed in [0] where the
> trusted thing is the language runtime running on both ends.

Actually, it's a very old idea. It's been proposed for KeyKOS and EROS,
and it goes back at least to DCCS (1976).

Either you have a trust agreement between the kernels, or no distributed
security story is possible in principle. Doesn't matter if it is
capabilities or something else.

> However, in practice, as Marcus said, everyone is free to run whatever
> OS they may like.

Not necessarily. This is an example of one of the *valid* uses of remote
attestation. Attestation gives me the ability to form my associations
with other people selectively. The right to assemble selectively is a
fundamental freedom that is currently not supported in computational

> [0] http://www.erights.org/elib/capability/dist-confine.html

E is a bit different, because it can at least trace exposure to a
particular machine and test consequences of partial security failures.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]