[cap-talk] "ambient authority" on wiki.erights.org
Toby Murray
toby.murray at comlab.ox.ac.uk
Mon Jun 15 12:37:14 EDT 2009
On Mon, 2009-06-15 at 16:52 +0100, Toby Murray wrote:
> On Mon, 2009-06-15 at 16:22 +0100, David-Sarah Hopwood wrote:
> > Note that this is a property of the request. For example, a system
> > could have one "ambient request" API in which a request succeeds if the
> > subject has any applicable permission [*], and another "non-ambient request"
> > API, in which the permissions must be specified explicitly.
> ...
> > [*] This is not just a theoretical possibility; L4 is a reified permission
> > system that is not (by the definitions I prefer) a capability system,
> > because it uses such an ambient API. I am not sure whether L4 also has
> > a non-ambient API.
>
> The Mungi "capability" OS is the other way around. It is nominally a
> capability-based system in which the capability to authorise a request
> is inferred by the system (by walking the c-list of a process) rather
> than being specified by the requestor.
Oops. I now realise that you meant Iguana -- I was thinking of the L4
API that uses thread IDs everywhere and no capabilities. Mungi and
Iguana are the same in this respect of both being ambient authority
"reified permission" systems.
More information about the cap-talk
mailing list