[cap-talk] Network POLA, network accounting and capability databases?

[Norman Hardy]

On Jun 19, 2006, at 1:41 PM, Jed at Webstart wrote:

.........
> In my experience (others may and I hope do differ) this second #2
> (accounting) has been less well developed in capability systems.  In
> fact I'd be quite interested to explore a thread on accounting in  
> object
> capability systems if anybody else has an interest in the topic.
> If nobody else is interested I'd at least like to hear why not -
> e.g. because they believe it's a solved problem or because they
> believe it's intractable or otherwise not productive.
>
Keykos has highly developed accounting hooks,
see <http://cap-lore.com/CapTheory/KK/Resource.html>.
It was written for a Timesharing company that charged for resources.
There are several features available there that are available in no  
other system, I think.
They seemed to be sufficient to install an application with  
guaranteed resources.
This was within the confines of one machine and indeed guaranteeing  
resources
for a distributed application is much more difficult.

> I'd be happy to share our accounting experiences from our
> NLTSS development.  While we had a working production
> system, I don't believe our solution was adequate for general
> network user accounting.  The basic problem with our solution
> is that it was based on an "account" capability.  That seems
> pretty natural in an object capability model.  However, when
> you consider such an approach, every time a "user" (any
> program actually acting on a user's behalf) wished to create
> an object, that account capability must be passed along.
> That means that any and every service will then be "deputized"
> to use the user's account capability and potentially to steal
> resources that should be available only to the user.
>
> If you trust your basic servers (e.g. in our case the file server,
> directory server, process server, and the account server
> were our base level servers) then this isn't much of a problem.
> However, even when working on NLTSS I didn't see a good way
> to extend such an accounting mechanism to the whole network.
>
> If some untrustworthy person like John Carlson (;-) happened
> to put up some sort of a network database service on the
> network, why should I pass that service my "account capability"
> in order to account for services that I use there?  Perhaps others
> have dealt with the problem more for a general network
> implementation and can suggest ways of dealing with the
> more general accounting issue.  I think (correct me if I'm
> wrong) this is basically what John is getting at.
>
> Perhaps this is getting into the area of commerce (e.g. network
> "money") for a network object capability model.  Are there
> resources to draw on in this area?
........