[cap-talk] membrane (was ... network capabilities)
clandau at macslab.com
Thu Nov 4 17:33:27 EST 2004
At 7:54 PM -0800 11/3/04, Jed at Webstart wrote:
>>Mark Miller wrote:
>>still possible even in such restricted object-cap systems, whereas they
>>are not in cap-as-data or crypto-cap systems.
>I hadn't heard this term "membrane" before, but after reading the
>reference I believe I understand what it refers to. I believe what
>it means (correct me if I get it wrong please Mark or others) is
>a mechanism where a process can proxy a capability in such
>a way that any capabilities that pass through to the holder
>of the proxied capability are themselves proxied in an associated
>way. That is, the process doing the proxying can watch any
>traffic coming in or going out on the proxied capabilities (e.g.
>to further expand the membrane to any capabilities passed
>out) and could do things like log any traffic or revoke all the
>proxied capabilities en mass, etc.
Isn't this exactly what the DCCS
(http://www.webstart.com/jed/papers/DCCS/) does? It proxies passed
capabilities not only because it wants to, but because it must.
If you want to proxy transparently, which means preserving the "eq"
property, you must proxy the passed capabilities too, thus you are
implementing a membrane.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cap-talk