[E-Lang] Re: Java 2 "Security"

Jonathan S. Shapiro shap@eros-os.org
Tue, 2 Jan 2001 23:25:19 -0500

> > one of the properties of the Java security model is the
> > ability to temporarily raise a privilege so a more sensitive operation
> > can be performed.  A flag is put on the stack (i.e. in the messaging
> > wait-for chain) which signifies the point at which a privilege is
> > raised, and the privilege is raised until that frame is popped (there
> > are various other aspects of the model I am skipping).  To get this
> > effect in a capability system you need to explicitly pass to each method
> > call below the point where the privilege was temporarily raised the fact
> > that this privelege was raised

I think that this is unduly pessimistic, because it neglects the possibility
of capabilities embedded in closures. One way to achieve what you want is to
have a procedure that performs the sensitive operation that is "closed over"
the necessary capability and does not disclose this capability to its