[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distributed Capabilities

From: Jonathan S. Shapiro
Subject: Re: Distributed Capabilities
Date: Mon, 27 Mar 2006 14:07:16 -0500

On Mon, 2006-03-27 at 16:48 +0200, Tom Bachmann wrote: 
> > That is feasible, except that you lose confinement (i.e., the bit
> > representation of capabilities is visible to the participants, so one
> > can transfer capabilities off-line, e.g., over the phone)
> Right. But the point of "distributed caps" is that they are sent over 
> net, i.e. the bit representation is made visible.

The first statement is correct. The second is not. Make the links
between the platforms encrypted.

> So if you want confinement the app must not hold (transitively) a cap to 
> the forwarder (i.e. a wrapped "distributed cap").

The reason you need to wrap isn't security. The reason is that a
capability to a particular page on a particular machine has no intrinsic
meaning on any other machine. The only sensible interpretation of a
distributed capability system in this context is where the "remoted"
capability acts as a proxy for the real one.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]