[cap-talk] Another "core" principle

Jed at Webstart donnelley1 at webstart.com
Wed Dec 20 17:52:40 CST 2006 

At 03:19 PM 12/20/2006, Bill Frantz wrote:
>shap at eros-os.com (Jonathan S. Shapiro) on Sunday, December 17, 2006 wrote:
>
> >I'm not sure my concern is valid, but I'm concerned about the membrane
> >pattern. If the consequence of causally dependent capabilities (which is
> >what membranes build) is that nobody ever dares to revoke a membrane,
> >then there is absolutely no point introducing the membranes in the first
> >place.
>
>The same issue applies to zapping space banks and the disk format
>command.  There is no way to undo their destructive effects.
>
>Cheers - Bill

While I don't know much about zapping space banks, I'm of course
quite familiar with reformatting disks.  If I reformat a disk and that
disk had meaningful user data that they need for their work, I go
back to work and restore what I reformatted.

In the message above you seem to suggest that if a revocation
happens and it stops somebody from doing their work, that's
OK.  If the revocation is as intended and the person should no
longer have access, then of course it is more than OK, it's
what should happen.

However, in the case we've been discussing (

1.  Alice -> Bob -> Carol -> Dave  ("->" indicates delegates to),

2.  Bob's access is revoked,

3.  Carol is introduced to Alice and Alice decides that Carol
should be trusted with the authority delegated to her from
Alice via Bob.

) this is not the intent and I regard it as very far from OK.
Because of #3 both Carol and Dave should continue to be
able to exercise the authority granted to them from Alice
by Bob.

To my thinking this is exactly the sort of issue that Lampson
was describing when he suggested that capability systems
are intrinsically so complex that they can never be made
practical.

I don't believe there is anything in the basic capability paradigm
that makes this so and I believe the object/capability paradigm
can handle this situation - without having to trigger a massive
re population of capabilities in Carol's directories and without
requiring re delegation by Carol (e.g. to Dave) and similar
repopulation of directories all the way down the chain - where
of course knowledge of this event should (and I argue can)
be largely unknown.

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list