[cap-talk] In Defense of Identities - not
Jonathan S. Shapiro
shap at eros-os.com
Wed Dec 6 14:44:53 CST 2006
On Wed, 2006-12-06 at 14:40 -0600, Eric Jacobs wrote:
> On Wed, 06 Dec 2006 11:46:17 -0500
> "Jonathan S. Shapiro" <shap at eros-os.com> wrote:
>
> > 3. In the absence of a trusted service, it is exceptionally
> > difficult to get transitivity of revocation right. The simple
> > cases are simple and the hard cases are impossible. Consider:
> >
> > c1->someOperation(...arg...) => c2
> >
> > the decision to wrap the 'c2' capability depends a great deal
> > on what 'someOperation' does.
>
> What would such a decision depend on? Is there an advantage to sending back an unprotected capability?
>
> -Eric
Oh very definitely there are advantages to not wrapping:
1. Introducing a wrapper is incredibly expensive (thousands of cycles).
2. Introducing a wrapper requires storage allocation. This raises
accounting issues that perturb APIs.
3. Introducing a wrapper requires a capability lookup to see if another
wrapper has already been introduced for C2 so that the results of EQ can
be preserved.
4. Because of EQ, it's unclear what to do when C1==C2 and C1 was not
wrapped.
5. If the responsibility for wrapper introduction lies in the object
servers, then our story for revocation only works for objects whose
implementation we trust.
--
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100
More information about the cap-talk
mailing list