[cap-talk] On revocation and the use of wrappers
Jed at Webstart
donnelley1 at webstart.com
Tue Dec 5 18:16:26 CST 2006
At 03:12 PM 12/5/2006, Valerio Bellizzomi wrote:
>What is a membrane in this context?
The basic idea of a membrane is that one can send a permission
(capability) through the membrane so that it can be invoked and
so any derived permissions (capabilities) fetched through
the membrane remain accessible only through the membrane.
At any time the whole complex can be revoked. The text with
MarkM's figure 9.3 provides an independent explanation (along
with the code of course):
_______________
Figure 9.3: Membranes Form Compartments. The simple caretaker pattern shown
previously is only safe for Alice to use when she may rely on Carol
not to provide
Carol's clients with direct access to herself. When Alice may not
rely on Carol,
she can use the membrane pattern. A membrane additionally wraps each
capability (non-data reference) passing in either direction in a
caretaker, where
all these caretakers revoke together. By spreading in this way, the membrane
remains interposed between Bob and Carol. The simplified membrane code
shown here has the security properties we require, but is not yet practically
efficient.
_______________________________
I'll mention that the mechanism I'm working on for delegating responsibility
contains what is effectively a membrane along with the identity assignment
and derivation (delegation tracking) for each permission.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list