[cap-talk] Consequences of revocation (was: Re: Use-case: hybrid capability systems)

Jed Donnelley jed at nersc.gov
Fri Feb 8 19:32:43 EST 2008


On 2/8/2008 1:57 PM, Jonathan S. Shapiro wrote:
...
> ...The issue I am concerned with is the consequences of revocation.
...
> ...The problem that I am concerned with is inadvertent
> breakage of capability references as a consequence of membrane
> revocation.

I'd like to understand better what you consider to
be "the problem" to be - specifically with regard to
revocation.

 From my perspective capabilities are revoked and
invocations on them no longer function as they
previously did.  E.g. they return "invalid", etc.

With a mechanism like Horton such a revocation can
be rescinded to later re establish access, just as
with any ACL system.  In that case the capability
that formerly supported some operations and then
didn't support those operations again can support
the original operations.

In general behind the scene state changes can
effect the results of operations on capabilities.

I don't see that as part of "the problem" but as
part of the solution - namely the solution to the
nearly universally perceived problem of "loss of
control" with capabilities (not knowing who did
what and being able to control who does what in
the future).

Revocation seems to me an inevitable consequence
of such desired 'control'.  What is "the problem"?

--Jed  http://www.webstart.com/jed/



More information about the cap-talk mailing list