Split Capabilities: Making Capabilities Scale
Jonathan S. Shapiro
shap@eros-os.org
Mon, 24 Jul 2000 23:52:15 -0400
> Only under the assumption of mutually trusting runtimes as you say, which
> requires mutually trusting hardware, which realistically requires
> tamper-stop hardware (at least, on tamper-detection, wipe out the private
> key used to authenticate this box to other boxes). This in turn requires
all
> users of a network of such mutually trusting boxes to all trust one box
> manufacturer...
This is clearly onerous for a distributed system, but is not a serious
problem for a network of workstations. In addition to the points you raise,
there are consistency and rollback issues when you scale beyond the local
case, but the network of workstations case remains useful.
shap