[cap-talk] capability copy and capability map
Mark Miller
erights at gmail.com
Wed Oct 25 14:55:55 CDT 2006
On 10/25/06, Marcus Brinkmann <marcus.brinkmann at ruhr-uni-bochum.de> wrote:
> The challenge by the L4 people is to find a use case of capability
> copy that can not be avoided by a different overall system design.
With capability copy, in the scenario shown at
<http://www.erights.org/elib/equality/grant-matcher/>, if Alice and
Dana both give the Grant Matcher copies of their capabilities to KEQD,
the Grant Matcher can compare them, see whether they are the same, and
if so, then send $20 to KEQD on either cap, since these caps are now
known to be equivalent. On KeyKOS, the relevant primitive is the
Discrim key.
In a system supporting only capability map, how would you solve the
grant matcher puzzle?
EQ and rights amplification are closely related. For suitable
definitions of EQ and rights amplification, either can be trivially
built from the other. But it is at least difficult to build these
starting from a cap system with neither (such as Joule or pure
Actors).
I don't yet understand map and its consequences, but it seems to me
like a map-only cap system at least resembles a cap system with no
primitive EQ. In a map-only cap system, how do you do rights
amplification?
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list