[cap-talk] Petnames versus E-order with ocaps
Karp, Alan H
alan.karp at hp.com
Fri Jan 30 10:17:46 EST 2009
Charles Landau wrote:
>
> You are asking about a hypothetical system that uses petnames. The
> answer is in the details of that system.
>
Yes.
> I imagine a system in which a reference coming into an object (such as
> Bob) is (efficiently) compared (using some form of EQ) with all existing
> references in the object. If there is a match, the system says "here is
> a reference that you know as foo". If there is no match, a new unique
> petname is somehow generated for the incoming reference.
>
If there is a match, and Bob sends a message to Carol using foo, i.e., foo<-bar(), is the message guaranteed to arrive after the message Alice sent to Carol? My contention is that we can't say, which means we can't enforce E-order in a petname system.
>
> > We can't let Bob's messages to Carol go
> > through immediately, because that violates E-order. We can't make
> > all of Bob's messages to Carol wait for Alice's message to arrive,
> > because that allows a malicious vat to block another vat's
> > independent requests. The issue is that a petname system can't
> > distinguish these two cases, which appears to mean that the ordering
> > guarantees must be weaker.
>
> The two references Bob has to Carol (old and new) are different (see
> above), so the petname system I'm imagining must give them different
> petnames.
>
In your example above, Bob refers to his old reference as foo, but if there's a match, Bob will also refer to his new reference as foo. So, which one gets used when Bob says foo<-bar()?
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list