[cap-talk] EQ not required by object-cap model (was :Flawed first attempt)
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Sat Dec 9 15:19:49 CST 2006
At Fri, 08 Dec 2006 07:56:12 -0800,
Marc Stiegler <marcs at skyhunter.com> wrote:
> It is even more rare that EQ is necessary, indeed, it can be argued (and
> dean has done a pretty good job of demonstrating) that EQ is never
> actually required. Let us consider rights amplification as an obvious
> problem for which EQ seems necessary. For the rights amplification
> primitive sealer/unsealer pair, there are two well-known
> implementations: the ping sealer, and the shared variable sealer. The
> ping sealer requires EQ. But the shared variable sealer does not. See
> them at
>
> http://www.cypherpunks.to/erights/talks/efun/pingSealer.ppt
I am not very familiar with E, but if I interpret this correctly, the
shared variable sealer works because:
1. Nobody else can invoke box.share() while unseal() is running (I
suppose that explains the "Incompatible with threads" comment in
the presentation), and
2. The shared variable sealer can safely invoke box.share() without
potentially blocking forever on the request even without checking
what type of object box is (I suppose that might explain the "share
message risk/notary inspector solution comment).
Issue 1 I think is not problematic. The shared variable sealer can
hypothetically work around that by guarding the critical sequence with
a lock against processing invocations of the box object.
Issue 2 I think is problematic. I don't know what the "notary
inspector solution" is, but it seems to me that it involves checking
if box is indeed an object implemented by the shared variable sealer
itself (or at least has some implementation that we are willing to
run). This seems to me to involve an eq? check, or at least a weak
form of it: Reading out the "brand" of a capability in EROS speak.
I found myself that I do not necessarily need eq?, but I need a weak
form which allows a server to test if a capability is implemented by
itself, and if yes, which object it refers to.
Does this coincede with your experience?
Thanks,
Marcus
More information about the cap-talk
mailing list