[cap-talk] the "flaw" of separating designation from authority
Karp, Alan H
alan.karp at hp.com
Fri Oct 27 15:53:49 CDT 2006
Fred Spiessens wrote:
>
> So, MyFileSystem is provided as a file-library in the
> language, and the programmer is forced to use it, directly or
> indirectly, when writing client data to a file and logging it
> to his own file in one atomic action?
>
Not quite. MyFileSystem is provided by a service that acts on behalf of
many users. The service updates the files using the user's authorities
and logs all writes using the service's authorities. All users have
read authority on the log file.
You have said that all that's needed is unforgeable authorities. I'm
simply stressing that the system must allow the programmer to express
which authorities go with which designations. You also said that. I'm
just suggesting that you keep these two statements together, since it's
possible to build a system that has one but not the other.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list