[cap-talk] Confused Deputies arising from object capabilities
Karp, Alan H
alan.karp at hp.com
Mon Feb 4 13:26:11 EST 2008
Jed wrote:
>
> Whew. That would be pretty darn ACL of you Alan! Still, I
> also believe that it could be done safely - though it seems to
> me to require considerable additional careful thought. For
> example, I don't know how the Horton tunnel would make the
> identity information available to Bob. Still, I suppose the
> above is possible. Wouldn't be my first choice for an
> architecture ;-)
>
Bob has a single capability for writing the log. That capability points to a caretaker. Horton sets the redirect in the caretaker to write to the appropriate file. Bob never needs to know the identity of the requester.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list