Thoughts on droplets -- clarification

[Mark S. Miller]

At 10:40 AM 11/2/99 , Tyler Close wrote:
>Droplets(TM) has capabilities whose lifetime is bound to
>the HTTP session and capabilities whose lifetime is
>dictated by the application. This is done solely to support
>garbage collection. It has no security implication.

Likewise for E.  The actual Pluribus protocol uses session specific small 
numbers, and three party handoff does the transformation between 
session-specific & global that Jonathan seems to be asking for.  However, 
the simplified Pluribus explained at 
http://www.erights.org/elib/capability/ode/ode-protocol.html does not, and 
we specifically state: "First we explain a simplified version of the E's 
communications protocol, Pluribus, identical from a security point of view, 
but less efficient."  Distributed garbage collection is one of these 
unexplained efficiency issues.

So, since we seem to have the transformations Jonathan is asking for, either
* we have misunderstood and have a different transformation, or
* we have some unrecognized security benefit in the actual Pluribus that 
exceeds the security of the explained Pluribus, or,
* we are right that such transformations do not enhance security.
It should be possible to resolve which of these three situations we are in.

>Droplets(TM) has been designed with the belief that the
>entirety of the security policy should be expressed in the
>object's interface and the ability to limit access to this
>interface through distribution patterns (i.e.: capability
>semantics).

Well put.


         Cheers,
         --MarkM