[cap-talk] T.120-like apps

Stiegler, Marc D marc.d.stiegler at hp.com
Mon Apr 25 12:19:15 EDT 2005

> What did I miss? What is Joe-E?

Joe-E is the 100% pure Java subset that is capability secure. It uses
the Elib for communication. A big part that is not yet complete is the
verifier that will confirm that a class does not use any authorities it
does not receive as explicit messages, i.e., the verifier will verify
that a class follows the rules laid by in E by the safej files (which
specify which methods are suppressed, and which classes are considered
unsafe, for capability discipline). Of course, static class mutables are
also rejected by the verifier, as another example of verifier behavior.

Joe-E programs will have approximately all the promise-pipelined
object-capability properties of E (I say "approximately" because there
are some edge conditions. For example Joe-E programs will probably be
allowed to use integers, not just BigIntegers; the plan the last time I
was involved was, you could check and reject integers with a lintlike
tool, but it would not be a part of the core verifier). Since it is pure
Java (or Java with SWT, which is what Eclipse was designed for, and
which has been tamed in the safej files along with Java), IDEs for Java
should just work fine for JoeE.

I myself have written no Joe-E code. Markm tells me that you need the
clever new typing system in 1.5 to make it pleasant to use. I have
written a tiny amount of Elib using code in Java, I don't quite
understand the issue, but you should probably believe markm :-)

Anyway, David Wagner has a small project planned to carry that work to


More information about the cap-talk mailing list