[cap-talk] On revocation and the use of wrappers
Valerio Bellizzomi
devbox at selnet.org
Tue Dec 5 19:12:44 CST 2006
On 05/12/2006, at 16.16, Jed at Webstart wrote:
>At 03:12 PM 12/5/2006, Valerio Bellizzomi wrote:
>>What is a membrane in this context?
>
>The basic idea of a membrane is that one can send a permission
>(capability) through the membrane so that it can be invoked and
>so any derived permissions (capabilities) fetched through
>the membrane remain accessible only through the membrane.
>At any time the whole complex can be revoked. The text with
>MarkM's figure 9.3 provides an independent explanation (along
>with the code of course):
>_______________
>Figure 9.3: Membranes Form Compartments. The simple caretaker pattern
shown
>previously is only safe for Alice to use when she may rely on Carol
>not to provide
>Carol's clients with direct access to herself. When Alice may not
>rely on Carol,
>she can use the membrane pattern. A membrane additionally wraps each
>capability (non-data reference) passing in either direction in a
>caretaker, where
>all these caretakers revoke together. By spreading in this way, the
>membrane
>remains interposed between Bob and Carol. The simplified membrane code
>shown here has the security properties we require, but is not yet
>practically
>efficient.
I have seen it already, thanks.
>_______________________________
>
>I'll mention that the mechanism I'm working on for delegating
>responsibility
>contains what is effectively a membrane along with the identity
assignment
>and derivation (delegation tracking) for each permission.
>
>--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list