[cap-talk] On revocation and the use of wrappers

Neal H. Walfield neal at walfield.org
Wed Dec 6 12:13:04 CST 2006 

At Tue, 05 Dec 2006 10:11:24 -0500,
Jonathan S. Shapiro wrote:
> In practice, however, the problem doesn't seem to work out in the way
> you describe, because the case of "object capability points to server"
> is almost never observed in the wild. The problem with this design
> pattern is that it prevents the server from performing selective
> revocation of objects. The practical consequence is that servers tend to
> issue wrapper capabilities that encapsulate server capabilities rather
> than the server capabilities themselves.

As I understand you here, your claim is that it is almost always the
case that the server hands out wrapped capabilities, correct?  From
our discussions, I seem to remember that selected revocation is
actually a rarely useful pattern--and it's in this vein that I've been
thinking about designing servers.  Could you more fully motivate this?

> Because of this, the wrapping protocol doesn't tend to work in quite the
> way that you describe. What tends to happen is that the granting client
> goes to the server and says: "please fabricate a new wrapper for this
> object", and then hands the new wrapper to the client. This, of course,
> involves storage allocation, but it is the server who populates the
> wrapper.

Say Alice has a capability to Bob and she wants to delegate revocable
(perhaps, but no necessarily, weakened) access to Carol.  As I
understand you, she would call the appropriate fetch method and pass a
sub-space bank to Bob with enough space for him to allocate a wrapper.
Correct?

> While the original provider can shoot the bank, this doesn't guarantee
> revocation, because the client can make a new wrapper for itself using
> its own storage and discard the original; the server cannot tell.

What I think you are saying, staying with the above example, is that
Carol could invoke the fetch method and get her own wrapper (which is
inferior to the one she got from Alice).  Then when Alice shoots the
space bank, her access would be cut off but her wrapper would not be
deallocated.  Is that correct?

> In any of these cases, I still claim that the revocation pattern is
> rare.

Then why always wrap server capabilities?

> My argument is that well-structured applications have failure
> domains that are smaller than their revocation domains.

Could you please elaborate this claim a bit.  I feel that there is
some important, fundamental point here but I'm unable to get at it.

Thanks,
Neal

More information about the cap-talk mailing list