Thoughts on droplets -- clarification
Mark S. Miller
Tue, 02 Nov 1999 10:55:15 -0800
At 10:40 AM 11/2/99 , Tyler Close wrote:
>Droplets(TM) has capabilities whose lifetime is bound to
>the HTTP session and capabilities whose lifetime is
>dictated by the application. This is done solely to support
>garbage collection. It has no security implication.
Likewise for E. The actual Pluribus protocol uses session specific small
numbers, and three party handoff does the transformation between
session-specific & global that Jonathan seems to be asking for. However,
the simplified Pluribus explained at
http://www.erights.org/elib/capability/ode/ode-protocol.html does not, and
we specifically state: "First we explain a simplified version of the E's
communications protocol, Pluribus, identical from a security point of view,
but less efficient." Distributed garbage collection is one of these
unexplained efficiency issues.
So, since we seem to have the transformations Jonathan is asking for, either
* we have misunderstood and have a different transformation, or
* we have some unrecognized security benefit in the actual Pluribus that
exceeds the security of the explained Pluribus, or,
* we are right that such transformations do not enhance security.
It should be possible to resolve which of these three situations we are in.
>Droplets(TM) has been designed with the belief that the
>entirety of the security policy should be expressed in the
>object's interface and the ability to limit access to this
>interface through distribution patterns (i.e.: capability