[cap-talk] Confused Deputies arising from object capabilities
jed at nersc.gov
Mon Feb 4 17:07:27 EST 2008
On 2/4/2008 10:26 AM, Karp, Alan H wrote:
> Jed wrote:
>> Whew. That would be pretty darn ACL of you Alan! Still, I
>> also believe that it could be done safely - though it seems to
>> me to require considerable additional careful thought. For
>> example, I don't know how the Horton tunnel would make the
>> identity information available to Bob. Still, I suppose the
>> above is possible. Wouldn't be my first choice for an
>> architecture ;-)
> Bob has a single capability for writing the log. That
> capability points to a caretaker. Horton sets the
> redirect in the caretaker to write to the appropriate file.
> Bob never needs to know the identity of the requester.
I see. A somewhat similar issue shows up in the
proposed MLS over Horton scheme that I blue sky.
I imagine you will notice it if you follow it
More information about the cap-talk