[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Distributed Capabilities

From: Tom Bachmann
Subject: Re: Distributed Capabilities
Date: Mon, 27 Mar 2006 21:17:56 +0200
User-agent: Mozilla Thunderbird 1.0.7 (X11/20051031)

Jonathan S. Shapiro wrote:
On Mon, 2006-03-27 at 16:48 +0200, Tom Bachmann wrote:
That is feasible, except that you lose confinement (i.e., the bit
representation of capabilities is visible to the participants, so one
can transfer capabilities off-line, e.g., over the phone)

Right. But the point of "distributed caps" is that they are sent over net, i.e. the bit representation is made visible.

The first statement is correct. The second is not. Make the links
between the platforms encrypted.

still the other machine has to be trusted (OK, passing a cap to an untrusted entity hoping it doesn't spread is is stupid). I was confused by the "send by phone" statement, that is possible now.

So if you want confinement the app must not hold (transitively) a cap to the forwarder (i.e. a wrapped "distributed cap").

The reason you need to wrap isn't security. The reason is that a
capability to a particular page on a particular machine has no intrinsic
meaning on any other machine. The only sensible interpretation of a
distributed capability system in this context is where the "remoted"
capability acts as a proxy for the real one.

Hm, I'm not sure if we're talking about the same issue. In my scenario the forwarder wraps every cap to another machine, so it can be invoked locally.

I think now I am a bit confused about who can trust whom and what breaks confinement and what not in a network environment :)

reply via email to

[Prev in Thread] Current Thread [Next in Thread]