[cap-talk] Stamps, Guards and Parents

[Toby Murray]

On Fri, 2009-02-13 at 15:52 +0000, David-Sarah Hopwood wrote:
> Toby Murray wrote:
> > I have a quick question. Is anyone aware of any capability patterns or
> > situations in which an object is required to be stamped* by an object
> > other than its parent?
> 
> Consider using a stamp to cache the fact that a subtree of objects has
> been verified/audited in some way. The subtree is not necessarily
> verified by its parent.

Indeed. Thanks. 


On Fri, 2009-02-13 at 09:05 -0800, Mark Miller wrote:
> http://www.erights.org/elang/kernel/auditors/
> http://wiki.erights.org/wiki/Guard-based_auditing
> http://www.cs.berkeley.edu/~finifter/pure-ccs08.pdf
> 
This makes concrete David-Sarah's point. Cheers.

In all of these examples, is it right to assume that the "auditor" in
each case has access to information other than that which could be
obtained by interacting with the object that is being audited.

For example, E's "auditors" (the first link) have access to the object's
source-code via an abstract syntax tree. The "auditing" that occurs in
the Joe-E functional purity work relies on the presence of a working
(static) type system. In both cases the auditor has access to
"meta"-information about an object that it uses to perform the audit.
I'm yet to digest the information on guard-based auditing, however.

Is that fair?

On Fri, 2009-02-13 at 14:19 -0800, Norman Hardy wrote:
> See http://cap-lore.com/CapTheory/KK/Vet.html for a new Keykos  
> implementation design for this problem.

Thanks. 

If I read this correctly, this solves the problem of Q needing to stamp
objects produced by P. Q stamps an object, p, created by P, by creating
a new object, q, that contains p and allows anyone to access the p that
it contains.

This, then, uses the ability of parents to stamp their children, to
allow arbitrary objects to stamp (something that designates) the
children of others.

Is that right?

Cheers

Toby