Split Capabilities: Making Capabilities Scale

[Jonathan S. Shapiro]

> My statement refers to the fact that the interposer need be nothing but
two
> lines of code to be a message forwarder, while a capability, if remote,
> requires some cryptography

We need to be careful about this assumption. Clearly, cryptography is the
only technique we have right now for security over unsecured wires. It does
not follow that cryptographic capabilities are required. A sufficient
alternative would be unsecured capabilities transmitted between mutually
trusting runtimes over a more generically encrypted link.

This wouldn't work for E-speak, obviously, because ultimately the capability
representation is visible to the end user. It's a fine solution for
distributing a system like EROS.  It also raises the possibility that each
participant E-speak system could be made responsible for its own encryption
locally. Not sure that's a good idea, but sometimes I find that thinking
around corners in this way is revealing.

shap