[cap-talk] NDAs
Mark Miller
erights at gmail.com
Mon Jun 8 14:22:43 EDT 2009
On Mon, Jun 8, 2009 at 1:32 AM, Toby Murray <toby.murray at comlab.ox.ac.uk> wrote:
> Hence, I argue that NDAs can be built on any capability system in which
> objects have access to a good source of randomness.
I think the fundamental non-delegatable permission your analysis
relies on is the right to receive messages sent on a given reference.
In systems like Coyotos, Flat Concurrent Prolog, Mach, Joule, or
ToonTalk, channels have two ends (ports, whatever). One represents the
right to place messages into the channel. The other represents the
right to receive (or be invoked by) messages that have been placed
into the channel. Either may be sent in messages, thereby sharing (or
transferring) the right to directly send ot receive. Joule has both
direct references and channels, but it is externally indistinguishable
whether one holds a direct reference or the send side of a channel.
I do not think you analysis applies to such systems.
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list