[cap-talk] Comprehensive Security Policies on Capability Systems

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Mon Jan 15 20:03:17 CST 2007

Toby Murray wrote:
> From:
> http://www.eros-os.org/pipermail/cap-talk/2006-December/006458.html
> posted by Mark Miller
>>When Bob joins the company, a user-agent is created for
>>Bob-as-employee. If needed, a separate user-agent is created for Bob.
>>(If Bob already has his own computer with his own user-agent, he can
>>elect to use that!)
>>The relevant membrane is between Bob and Bob-as-employee. While Bob is
>>with the company, Bob acts as a puppeteer, operating the
>>Bob-as-employee puppet through the membrane. When Bob leaves the
>>company, Bob looses the ability to operate Bob-as-employee, but
>>Bob-as-employee continues to exist. It has lost its puppeteer, and
>>therefore some of its anima, but it hasn't lost any of its authority.
>>When the company reassigns Bob's duties to someone else, they also
>>transfer the puppet strings, so that other person can now operate
>>Bob-as-employee. The puppet show must go on, masking the effects of
>>puppeteer turnover.
> Here "Bob-as-employee" is a role, available to user Bob. Bob may have
> other roles he can assume too, in which case he'd have capabilities to
> other membranes that represent these roles as well. 
> One could enhance it by having the membrane for role X disallow any caps
> to traverse it that have already passed through the membrane for another
> role Y. The idea would be to prevent Bob from using caps obtained in
> role X while acting in role Y, [...]

Why would we want to do that?

David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list