[E-Lang] [EROS-Arch] Re: Interaction Design for End-User Secu rity

[kragen@pobox.com]

"Karp, Alan" <alan_karp@hp.com> writes:
>    >Revoking capabilities does require a proxy service, yes, and that
>    >proxy service can retain records of which proxies are created for
>    >whom.
>  
> This approach doesn't sound scalable.  Doesn't it require a proxy per
> capability per process, at least in the most general case?

It requires at least one proxy capability per capability per
compartment.  There could be any number of processes in a compartment.

Each proxy capability should probably be implemented with a separate proxy.