[cap-talk] Introduction by default (was: Re: binder ipc )
Jed Donnelley
capability at webstart.com
Tue Dec 27 10:10:59 PST 2011
On 12/26/2011 1:36 PM, Karp, Alan H wrote:
> ...
>> Or is there potential value in kernel Horton?
>>
> Horton is all about policy, and I don't believe policy should be built into the kernel.
I agree = my previous post (sans any performance issues, which are
implementation dependent practical matters).
> That being said, the kernel can provide an unforgeable identity with each invocation that can lead to a simpler protocol. For example, in an introduction by default system, Alice could distinguish invocations from Bob and Carol without needing sealed boxes.
>
> ...
It seems to me the above sentences contradict the immediately previous
sentence.
Perhaps it would help me to understand if you could further explain what
you mean by an "introduction by default" system.
It would help me in understanding your description if you would refer to
the corresponding points in the Horton paper. My specific focus of
concern is the point (near the upper right of page 3, referring to
figure 2):
_________________________
...Alice is saying in effect “Carol, I’d like to share with Bob my
access to C. Could you create a stub for Bob’s use?” Nothing forces
Alice to share her rights in this indirect way; Alice’s P1 could just
give Bob direct access to S2. But then Carol would necessarily blame
Alice for Bob’s use of S2, which Alice might not like.
_________________________
Of course we understand in the above that this description is
metaphorical. It isn't actually a person Alice speaking to a person
Carol, but rather an object (I prefer "active object" or process, but
I'll stick with the simple 'object' term from the Horton paper), A,
acting on behalf of a responsible entity (a 'who'), "Alice",
communicating with an object, C, acting on behalf of another responsible
entity, "Carol". The acting objects A, B, and C in Horton (e.g. figure
2) are distinct from the 'who' objects for Alice, Bob, and Carol.
"Alice" (the 'who') likely has many objects acting on her behalf besides
A. She need not and probably should not go through the Horton
responsibility tracking protocol for communication between those
objects. There likely aren't and should not be "who" objects for all
those objects acting on behalf of Alice.
It is the 'who' object for Alice that defines the "Alice" responsible
entity. Such "who" objects might conveniently represent people or roles
for people or other high level "positions" of responsibility.
I have some questions about "introduction by default" systems such as
you refer to:
1. How do such systems distinguish responsible entities (the Horton
"who"s) from other objects? What corresponds to the "who" object? How
can whatever corresponds to the "who" be communicated, wrapped, revoked,
etc.?
2. How does responsibility tracking (in Horton the ability to identify
an authority that's been communicated from Alice to Bob to David and
even perhaps back to Bob) work in introduction by default systems?
Perhaps once I better understand the basic idea of "introduction by
default" systems such questions will be easy for me to answer for
myself. Thanks for any clarification.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list