[E-Lang] draft statement of consensus

hal@finney.org hal@finney.org
Wed, 7 Feb 2001 10:58:38 -0800

Jonathan S. Shapiro, <shap@eros-os.org>, writes:

> Within capability systems, the issue is that there should be no way I
> should receive authorities without knowing about it. The reason this
> matters is that if I receive authorities without knowing about it, I
> might be tricked into using them in a way I did not intend because I
> mistakenly believe that the capability slot I invoked held some
> authority I understood.

Can you really guarantee in a capability system that you won't receive an
authority without knowing about it?  How can you know how much authority
is granted by each capability you are given?  What if one of them grants
more authority than you expect?