Split Capabilities: Making Capabilities Scale
Mark S. Miller
markm@caplet.com
Sun, 09 Jul 2000 10:23:34 -0700
At 08:30 AM 7/6/00 , Karp, Alan wrote:
>... the e-speak Protection Domain, an
>e-speak resource which defines the part of the universe accessible to the
>user. It contains the e-speak root name frame, which defines the user's
>name space, and a mandatory key ring, basically a set of capabilities that
>get presented on every request. In general, there are capabilities on this
>key ring that the user cannot remove. This latter feature enables us to
>enforce "negative permissions", capabilities that deny access to certain
>resources.
If you indeed have a way to enforce negative permissions across a mutually
mistrustful distributed system, I would be very impressed. If the user has
access to his own hardware, how is he prevented from removing the negative
capabilities on his mandatory key ring?
Cheers,
--MarkM