Mark S. Miller
Wed, 02 Jun 1999 12:44:51 -0700
At 11:06 PM 6/1/99 , Norman Hardy wrote:
>This is the terminology that I try to use:
Norm, this is excellent. In contemplating its relationship to
http://www.erights.org/elib/capability/delegations.html and especially
http://www.erights.org/elib/capability/confinement.html I realize there are
actually 4 relevant binary distinctions, which unfortunately are hard to
1) Your voluntary vs involuntary, which corresponds to my "may Bob and Mallet
2) My "Which side is Bob on?" question -- the assumptions about Bob's (or
Bob's author's) intentions.
3) Your inward vs outward, which I only raise on my capability page.
4) Information vs authority (bits vs capabilities), which I raise only on my
To my mind, you don't point out the most important use of bit-isolation
(what I was calling "inward bit confinement"): (Using your new terminology)
If you can both confine and isolate capabilities, and you can isolate bits,
but you can't confine bits, you can still prevent Bob from proxying
(effectively delegating) his undelegatable capability to Power, because
Bob's proxy cannot receive instructions (bits) from Mallet.
Much of E's architecture is there to achieve this. That (and contract
verification) is why there's such a need for partial determinism (or