[cap-talk] On revocation and the use of wrappers and In Defense of Identities

Mark S. Miller markm at cs.jhu.edu
Wed Dec 6 12:26:09 CST 2006 

Jonathan S. Shapiro wrote:
> I will respond to Jed's note separately. I just want to observe that
> protocols which are satisfactory for language-based solutions sometimes
> are not satisfactory for OS-based solutions, because there is a relative
> factor of ~1000 in the round-trip overhead per interaction.
> 
> When you describe the protocol, please be careful to identify the number
> of round trips, and also which environment you think it works for.


I want to be clear that this protocol is very new. It has not yet been 
implemented nor used. Nor has it been well examined on many practical grounds. 
Nor do I claim it to be the minimal protocol of its form that meets its goals. 
The protocol may or may not be adequate on all these dimensions -- we'll see.

The point of it, at this stage, is to establish the logical possibility of 
solving this set of simultaneous problems with a pure capability protocol. If 
it succeeds at this first goal, then we should examine what (if anything) is 
needed to derive practical protocols from it. As you say, the issues of 
practicality will probably depend crucially on substrate. Designs that are 
practical for network/distributed or language-based cap systems may not be 
practical for OSes. Again, we'll see.


A bit of history. At HP we've been working on a project called Scoopfs. This 
contains as a component a capability-based petmail-like system called 
Scoopfs-mail. I had a sense that my design for this was wrong, and that what 
was needed was something like the introduction protocol from Alan's Client 
Utility, and something like the never documented po-box protocol done by 
Trevor Morris and myself at Electric Communities. However, I couldn't put my 
finger on precisely what problem I was trying to solve, and so was thrashing.

The "rub" conversation on cap-talk, especially the back-and-forth between Jed 
and Alan, helped me see the problem precisely. I believe this was 90% of the 
battle. Once I understood the problem, a logically adequate protocol followed 
quickly. Now we'll see how much more work is needed to derive a practically 
adequate protocol.


-- 
Text by me above is hereby placed in the public domain

     Cheers,
     --MarkM

More information about the cap-talk mailing list