[cap-talk] High level dissonance (was: Re: What sparked interest in capabilities)
David Chizmadia (Home)
chizmadia at comcast.net
Fri Feb 22 17:24:44 EST 2008
In the examples cited, I don't really see that there is an inversion
or any abnormal circumstances.
In the first place, there user would have to be providing the raw
storage space for the application (in EROS or Coyotos, this would be
the action of creating and handing the application a space bank).
In the migration case, the obvious designs would be
(1) to hand the space bank capability to the new application or
(2) for all well-behaved applications to provide a facet for
access to internal state (e.g., to permit a system-wide backup) or
(3) for the application to provide the ability to export internal
state (to be used under normal conditions for backup or upgrade),
which can be used by other applications for migration or data
Assuming Object Capabilities, security settings would simply be
application object attributes that would be available through
(presumably) restricted facets.
> On Feb 22, 2008, at 11:45 AM, Rob Meijer wrote:
>> Does this inversion of the privilege ownership and delegation make any
>> sense to you? To me it does. I feel that making the user concept
>> subject to POLA as the programs would be a good thing. Doing so IMO
>> actually seems to make POLA simpler to implement than assigning the
>> special high privilege role to the user.
> I think you might be onto a good idea here. This mirrors what normal
> people do in real life -- they never directly access the storage used
> by their apps except occasionally when debugging, moving to a new
> machine or a new app, recovering from disaster, etc.. Most of them
> wouldn't know how to locate that storage if they wanted to.
> I think you are right that a natural user interface would reflect, as
> you said in your message that "under normal circumstances", users
> never fiddle with that stuff.
> This leaves open the question of how to handle abnormal
> circumstances, two of which Ivan Krstic raised in his follow-ups. We
> would want the "abnormal circumstances" access control to be general
> (i.e, the same user interface is used to access the storage of all of
> your apps -- the app doesn't have the ability to change the user
> interface with which you can access its storage), and to be as safe
> as possible against phishing.
> Merely by moving it from the realm of normal circumstances to the
> realm of abnormal, we have already made it safer against phishing.
> cap-talk mailing list
> cap-talk at mail.eros-os.org
More information about the cap-talk