Split Capabilities: Making Capabilities Scale
Mark S. Miller
markm@caplet.com
Sun, 23 Jul 2000 17:55:09 -0700
At 10:24 AM 7/23/00 , Jonathan S. Shapiro wrote:
>... A sufficient
>alternative would be unsecured capabilities transmitted between mutually
>trusting runtimes over a more generically encrypted link.
>... It's a fine solution for
>distributing a system like EROS.
Only under the assumption of mutually trusting runtimes as you say, which
requires mutually trusting hardware, which realistically requires
tamper-stop hardware (at least, on tamper-detection, wipe out the private
key used to authenticate this box to other boxes). This in turn requires all
users of a network of such mutually trusting boxes to all trust one box
manufacturer. This cure is worse that the disease. See again
http://www.eros-os.org/~majordomo/e-lang/1075.html .
Please let's instead engineer systems for the "Cypherpunk Reference
Scenario" and its variants
http://www.erights.org/elib/capability/conspire.html#revokability , as
Joule/Indra, E, Droplets, and E-speak have all done.
Cheers,
--MarkM