Vat Location Service

Mark S. Miller
Mon, 11 Jan 1999 15:39:30 -0800

At 02:57 PM 1/11/99 , Bill Frantz wrote:
>At 02:25 PM 1/11/99 -0800, Mark S. Miller wrote:
>>With what permissions do ISPs normally run CGIs?  Would they enable a
>>Vat/CGI to checkpoint itself between requests?  Note that the checkpoint
>>file contains secrets that must remain inaccessible to other unprivileged
>>users of the ISP.
>[?] Why does the VLS checkpoint?
>[?] What secrets?

[-] I was generalizing from VLSs to the general Vat problem.

VLSs don't need to checkpoint, and they don't need to keep long lived
secrets.  However, they do need to keep registration info from one CGI
request to the next (indeed, that's their purpose), so they need some form
of inter-request memory that they can read & write, and that other
unprivileged users can't write.

If they can checkpoint, then the short-lived registration information will
sometimes come back on-line before the 1-hour default re-registration
interval would have restored it anyway.  This probably isn't a good enough
reason to checkpoint, even when we can, since we gotta have redundant VLSs

In any case, in the paragraph you quote, I was no longer speaking
specifically of VLSs.  Your idea of how an unprivileged user can painlessly
run a VLS at a standard ISP led me to wonder if you could enable
unprivileged users to run arbitrary E/Vat-based services at a standard ISP,
including services requiring persistent capabilities.  It would be most
wonderful for there to be a way.