[E-Lang] Re: Java 2 "Security"
Jonathan S. Shapiro
Tue, 2 Jan 2001 23:25:19 -0500
> > one of the properties of the Java security model is the
> > ability to temporarily raise a privilege so a more sensitive operation
> > can be performed. A flag is put on the stack (i.e. in the messaging
> > wait-for chain) which signifies the point at which a privilege is
> > raised, and the privilege is raised until that frame is popped (there
> > are various other aspects of the model I am skipping). To get this
> > effect in a capability system you need to explicitly pass to each method
> > call below the point where the privilege was temporarily raised the fact
> > that this privelege was raised
I think that this is unduly pessimistic, because it neglects the possibility
of capabilities embedded in closures. One way to achieve what you want is to
have a procedure that performs the sensitive operation that is "closed over"
the necessary capability and does not disclose this capability to its