[cap-talk] Users in object/capability systems (was: MLS gone bad, Lampson)

Valerio Bellizzomi devbox at selnet.org
Thu Nov 23 15:49:05 CST 2006

On 21/11/2006, at 10.24, Jed at Webstart wrote:

>At 10:11 AM 11/18/2006, Valerio Bellizzomi wrote:
>>On 17/11/2006, at 16.54, Jed at Webstart wrote:


>> >>My experience with capability based systems starts with EROS. I try
>> >>find my way...
>> >
>> >And?  Does EROS work as above or otherwise?
>>It isn't yet clear to me how a running Coyotos system will work.
>The above is all pretty simple DVH sort of capability stuff.  I believe
>it could even be supported in the network capabilities as data world,
>except that there needs to be some sort of escrow mechanism or
>otherwise to insure that the identity (e.g. process) that creates the
>new delegated capability can't itself access it.

I know the DVH stuff, which has been extended in EROS with "diminish-take"
(I think). But Coyotos is still a work in progress and much details will
probably change.
For example, the recent introduction of Endpoints and FCRBs, as Shap said
in his paper, modify the system architecture.

>> >There is some "superuser" that has control of the system.   That
>> >can make the system look like anything they wish.
>>Yes, but also the "system architect" can make the system look like
>>anything they wish.
>>The system architect is a "super-superuser".
>>So I think that if we talk about a "superuser", we have to define how
>>we trust the System Architect, the Installer, and the Operator,
>>our talk takes a dead-end way.
>Fine.  No problem.

Now I have to say it that we trust the system architect, and as I read it,
for the customer there should be the possibility to redo the proof with
automated tools. It seems that it has still to be demonstrated how
effective this will prove to be. However, the fact that the validation can
be done by the customer for free is a great thing.


More information about the cap-talk mailing list