the cost of complexity (was: Re: [E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins))

Karp, Alan
Mon, 29 Jan 2001 09:30:26 -0800

> -----Original Message-----
> From: Mark S. Miller []
> Sent: Friday, January 26, 2001 4:18 PM
> To: Ralph Hartley
> Cc: Jonathan S. Shapiro;;;
> Subject: Re: the cost of complexity (was: Re: [E-Lang] Java 2 
> "Security"
> (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins))
> 			(snip)
> In neither case does Mary gain anything by suppressing the 
> 3-vat Granovetter 
> handoff between the power (acting as Carol), Bob (acting as 
> Alice), and 
> Mallet (acting as Bob).  Put another way, when Mary receives a proper 
> invocation on the power, it should never matter to her what 
> connection this 
> invocation is received on.  However, when the Mary-Bob 
> connection dies, she 
> should then revoke the capability to the power that she gave out.

We made a different decision in e-speak Beta 2.2.  Capabilities were kept in
the core, and clients were given names (handles) to refer to them.  Since
all e-speak Beta 2.2 names were path based, a given capability could be used
only on the path on which it was issued.  In the example here, Mary would
give Bob a name for a capability.  Bob could "forward" it to Mallet
(actually a name for a new capability representing this one), but Mallet
could only use it by asking Bob to proxy for him.  Trying to use the
capability on a different route, say directly to Mary, had no meaning.  The
Granovetter handoff required Bob to introduce Mallet to Mary, state what
powers he'd proxy for Mallet, and ask that Mary give Mallet a capability
representing the equivalent powers.  Note that this approach is still a
capbility system, since Mary can give the same capability on many paths and
cares only that the capability is presented, not who presented it.

We did it this way because that's how our naming system worked, but it had
other advantages.  For example, the capability could not as easily be used
as part of a denial of service attack.  Since Mary controlled how many paths
the capability went out on, she controlled how rapidly she had to respond to
requests presenting it.  Also, Bob could give the capability to Mallet and
still maintain some control.  For example, if Bob had to pay for each use of
the capability, he could stop honoring Mallet's requests at any time without
involving Mary in any way.

> 				(snip)
>         Cheers,
>         --MarkM
> _______________________________________________
> e-lang mailing list

Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278