[cap-talk] Announcing "Analysing Object-Capability Security" Paper and Authodox v. 0.2.0
lists at notatla.org.uk
lists at notatla.org.uk
Thu May 22 17:57:33 CDT 2008
Toby,
> For anyone who's interested, I'd love to get feedback on the paper
> before the final version is submitted on June 1st. It's available here:
> http://web.comlab.ox.ac.uk/people/toby.murray/papers/AOCS.pdf
I have a few newbie comments.
In Figure 1 b):
TheReadOnlyFwdr seems to hold a {read,write} capability on Fred
when I expected it to hold only {read}. I realise that Alice
trusts TheReadOnlyFwdr (and probably created it), but since
there is only {read} from TheRevocableFwdr to TheReadOnlyFwdr
I found that part of the diagram odd.
The same goes for TheRevocableFwdr holding {get,set} on
the flag variable "Forward?" .
TheRevocableFwdr presumably could have been given a read capability
direct to Fred, making this a diagram of one pattern rather than two.
Was it made in these two stages to match the limited alphabets of the
modelling in later sections?
The description that goes with Figure 1 b) uses verbs rather like
telling a story as opposed to merely describing an established layout.
"We instantiate the ReadOnlyForwarder ... We then instantiate
the RevocableForwarder ... Finally, we also give Alice
a direct reference to Fred."
But if this is in story form I would have thought that the order is
backwards (direct access to the file coming last etc) and Alice
should be doing the work while "we" watch.
I've only made it to the end of 2.2 so far.
More information about the cap-talk
mailing list