[E-Lang] [EROS-Arch] Re: Interaction Design for End-User Secu
rity
Karp, Alan
alan_karp@hp.com
Mon, 2 Apr 2001 10:33:16 -0700
>Revoking capabilities does require a proxy service, yes, and that
>proxy service can retain records of which proxies are created for
>whom.
This approach doesn't sound scalable. Doesn't it require a proxy per
capability per process, at least in the most general case?
When I first joined this list last year, I described how e-speak 2.2 used
"split capabilities" to reduce the scaling from NxM. I was told the scaling
wasn't a problem. I didn't believe it then, and I don't believe it now.
Alan Karp