Signal Insulation

[Mark S. Miller]

At 11:06 PM 6/1/99 , Norman Hardy wrote:
>This is the terminology that I try to use:
><http://www.mediacity.com/~norm/CapTheory/term.html>


Norm, this is excellent.  In contemplating its relationship to 
http://www.erights.org/elib/capability/delegations.html and especially 
http://www.erights.org/elib/capability/confinement.html I realize there are 
actually 4 relevant binary distinctions, which unfortunately are hard to 
present well:

1) Your voluntary vs involuntary, which corresponds to my "may Bob and Mallet 
speak?" question.

2) My "Which side is Bob on?" question -- the assumptions about Bob's (or 
Bob's author's) intentions.

3) Your inward vs outward, which I only raise on my capability page.

4) Information vs authority (bits vs capabilities), which I raise only on my 
confinement page.


To my mind, you don't point out the most important use of bit-isolation 
(what I was calling "inward bit confinement"): (Using your new terminology) 
If you can both confine and isolate capabilities, and you can isolate bits, 
but you can't confine bits, you can still prevent Bob from proxying 
(effectively delegating) his undelegatable capability to Power, because 
Bob's proxy cannot receive instructions (bits) from Mallet.

Much of E's architecture is there to achieve this.  That (and contract 
verification) is why there's such a need for partial determinism (or 
"loggable nondeterminism").