[cap-talk] capabilities are inherently multiuser things, correct?
David Hopwood
david.hopwood at industrial-designers.co.uk
Sun Aug 12 18:01:54 EDT 2007
John Carlson wrote:
> It doesn't make any sense to have a single-user capability system,
> correct?
It does make sense. Why do you think otherwise?
> When I say single-user, I mean no messages from the outside, and no
> requests going out across the internet, etc.
A single-user system in this sense might be lacking in utility for
general-purpose computing, but there isn't any technical reason why
it doesn't make sense.
In the embedded and safety-critical applications space, such systems
are very common. Remember that the fault isolation properties of
capability systems are good for reliability as well as security,
even when we only consider systems where all programs are written by
trusted parties.
> If capabilities are going to be something, they've got to get out of
> the single-user mindset.
I don't think that designers of capability systems have ever been in
a "single-user mindset" that they needed to get out of. Many of the
earliest capability systems had support for distributed capabilities.
Providing some degree of network transparency is more difficult for
non-capability systems, which usually rely heavily on shared memory,
than it is for capability systems that are primarily based on message
passing.
> To me, this means having shared-capabilities, or communities formed
> on the internet. How does one take two or more communities, and
> form a single community, say one discussing approximate dynamic
> programming (a cross-discipline idea based on decision making and
> optimization).
Any system that supports off-line capability representations (e.g.
captp: or httpsy: URLs) makes it relatively straightforward to share
capabilities among groups with changing membership.
(I don't think it would be very likely for security restrictions to
be based on membership of an academic community, but the choice of
example here is probably not important.)
I suggest reading at least chapters 7 and 17 of MarkM's thesis, at
<http://www.erights.org/talks/thesis/>, if you haven't already done so.
--
David Hopwood <david.hopwood at industrial-designers.co.uk>
More information about the cap-talk
mailing list