Capability Security Without Confinement (was: Thoughts on droplets)

Mark S. Miller
Mon, 01 Nov 1999 16:21:10 -0800

At 01:43 PM 11/1/99 , Mark S. Miller wrote:
>When Drexler & I were writing the Agoric Open Systems papers, before we 
>met Norm, we thought we had proven to ourselves that confinement and 
>abstraction were not simultaneously possible in a capability system.  As a 
>result, the entirety of the agoric work back then assumed a world of 
>capability security without capability confinement.  At machine 
>granularity, this remains the situation.
>All the distributed capability architecture we did at the WebMart project 
>at Sun, and at EC Habitats at relied only on capability 
>security without confinement or partitioning.

Just to emphasize the point that capability security without confinement is
quite useful, here are some further examples of programs or protocols that
need security but don't need confinement:

* MarcS's two secure distributed apps written in E, echat & edesk.

* ERTP, in either the E or Droplets embodiments.

* All the examples in the fc00 paper.  No where does that paper define or
assume confinement, nor does it need to for its claims.

None of which necessarily addresses Jonathan's objections, as I'm only
making a tenuous inference that his distributed "partitioning" has the same
possibility constraints as confinement.  This remains to be established.