[E-Lang] E FAQ

[Mark S. Miller]

[Forwarded with permission.  --MarkM]

At 07:27 PM 10/14/2001 Sunday, David Wagner wrote:
>(I should say that it might also make sense to ask, not only
>how early does a capabilities *need* to be revoked, but also
>how early can we revoke it, i.e., how soon can we say that
>the callee will never need it again.  Lest the distinction
>seem unimportant, my interest in the latter is on POLA grounds.)

Good point.  This indeed may often follow activation frame lifetimes, in 
much the same way that much dynamically allocated storage actually only 
needs to live as long as some activation frame, whether this can be 
statically determined or not.  Interesting.  I think this is worth exploring.


>For some of us in the OS security taught about these systems,
>the notion of a capability system is broader than just E-like
>semantics.  I'm sure the "E-like" qualifier is redundant for
>some audiences, but not -- I think -- for all, and I'd rather
>be redundant than risk confusion.  Does this seem reasonable?

In the interests of promoting E, you can't imagine how tempting it is to say 
yes.  But it just wouldn't be right.  Perhaps, referring to 
http://www.erights.org/history/overview.html , we could say 
lambda-capability systems, and thereby include Actors, Scheme, KeyKOS, 
EROS, Concurrent Prolog, Mozart, Joule, and Toontalk, but exclude Hydra, 
Kerberos, SPKI, Posix "capabilities", Netscape "capabilities", and several 
others.

Does this sound like a reasonable stance?

(Though I genuinely can't remember whether Hydra worked as you say, or was 
more KeyKOS-like.)


        Cheers,
        --MarkM