[cap-talk] Re: "capabilities" as data vs. as descriptors -OS
security discussion, restricted access processes, etc.
Norman Hardy
norm at cap-lore.com
Tue May 11 17:21:16 EDT 2004
On May 11, 2004, at 10:15 AM, Karp, Alan wrote:
> Ian Grigg wrote:
>>
>> Who else agrees that design requirements for
>> a capability system should include audits?
>>
>
> The ability to audit is an important feature of any commercial system.
> It's hard to manage a system if you don't know what it's doing. It's
> hard to find an error if you don't know what process did what when.
It is very difficult to design the authority (capabilities) with which
to access an audit trail produced by the foundations. There is a
bottoming out problem.
On the other hand it is possible to hand out capabilities whose
invocation leaves a record accessible to whoever handed out such a
capability. This does not involve hooks in the foundation.
More information about the cap-talk
mailing list