[cap-talk] Wikipedia: Object-capability model - reference vs. capability?
Mark Miller
erights at gmail.com
Wed Jan 17 16:00:30 CST 2007
On 1/17/07, Charles Landau <clandau at macslab.com> wrote:
> That is not true. The value of the E expression:
> R == S
> differs in the two cases. I think we reached consensus that the EQ
> operation ought to be allowed, though not required, in obj-cap
> systems.
>
> It certainly isn't true that
> const int seven = 7;
> and
> const cap Seven = new NumberKey(7);
> are indistinguishable.
Some clarifications:
* David's code was in Joe-E, not E.
* In both E and Joe-E, there is no observable difference between R and S.
* When the difference between these are observable, we say the object
has an observable "creation identity" -- each act of creating such an
object endows it with a unique unforgeable identity distinct from the
identity endowed by any other act of creation.
* Objects with an observable creation identity are "selfish". Those
without are "selfless".
* In both E and Joe-E, all data is selfless.
* In E, the difference isn't observable because "==", applied to
selfless E objects, compares contents, not creation identity.
* In Joe-E, the difference isn't observable because "==" isn't allowed
between selfless objects.
In any objcap system, an object with an observable unforgeable
creation identity is not data, since such an identity provides
testable uniqueness beyond what information (bits) by themselves can
provide. Therefore a reference to such an object is a capability.
In KeyKOS, start keys to two independently created domains which are
other indistinguishable may be distinguished by Discrim. Therefore,
start keys are capabilities.
In KeyKOS, my understanding is that two independently created number
keys representing the number 7 cannot be distinguished. Number keys
are compared only on their contents, not on whether they were created
by the same act of creation. Is this correct? If so, then they are
selfless, and we can choose to describe them as references to data
objects if we wish.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list