Tue, 28 Sep 1999 22:42:21 -0400
> difference. The most
> important symptom of the difference is in the
> cryptographic encoding of a
> capability. Droplets and E both use the swiss
> number technique. E also
> has the VatID
> specifically to deal with inter-Vat mutual
> suspicion -- not an issue with
I think I am understanding something here that I didn't
before. Are you suggesting that inter-Cistern communication
is not possible? If so, then I need to disagree.
If you wish, you can consider your web browser to be another
Cistern that is communicating with the Cistern on my server.
This communications link obeys capability semantics.
Similarly, another actual Cistern would communicate with
another actual Cistern in the same way. SSL, using the
existing PKI, with swiss number based external caps.
To make an analogy to the E case, the web site name is the
VatID. Using the existing PKI, we can validate the
encryption key given by the site. Granted, using the
existing PKI sucks compared to E's VatID, but on the other
hand, the existing PKI exists.
The only thing I can't do is prevent Cisterns on the same
machine from colluding. For that matter, I can't stop any
Java object from colluding with another. The only secure
interface that I have is precisely the one that I think your
comment suggests isn't there.