[cap-talk] I Recant (was: Low-probability events)
Jonathan S. Shapiro
shap at eros-os.com
Tue Jan 16 07:37:56 CST 2007
On Tue, 2007-01-16 at 05:57 +0100, Pierre THIERRY wrote:
> Scribit Jonathan S. Shapiro dies 15/01/2007 hora 19:47:
> > The test of an object-capability system is whether (1) the
> > capability/data partition is enforced by the system's run-time, and
> > (2) capabilities are explicitly designated when invoked.
>
> I don't understand: how would any distributed system fulfill this
> requirement: any hostile agent can decide to use caps as data, can't it?
The distributed system forms a distributed run-time. Communications
between nodes need to be protected (for now: cryptographically). In the
limit, a strong claim requires mutually trusted attestation.
--
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100
More information about the cap-talk
mailing list