[E-Lang] E FAQ

[Marc Stiegler]

> At 07:27 PM 10/14/2001 Sunday, David Wagner wrote:
> >(I should say that it might also make sense to ask, not only
> >how early does a capabilities *need* to be revoked, but also
> >how early can we revoke it, i.e., how soon can we say that
> >the callee will never need it again.  Lest the distinction
> >seem unimportant, my interest in the latter is on POLA grounds.)
>
> Good point.  This indeed may often follow activation frame lifetimes, in
> much the same way that much dynamically allocated storage actually only
> needs to live as long as some activation frame, whether this can be
> statically determined or not.  Interesting.  I think this is worth
exploring.

It looks to me like activation frame lifetimes, while possibly interesting
POLA lifetimes for single-cpu systems, cease to be meaningful in distributed
secure systems, is that not so? One of the interesting things about
capabilities in E is that the kinds of security mechanisms one builds for
single-cpu systems are pretty much the same as the ones you build for
distributed systems (though not 100% of them: it is possible inside a single
vat to trivially implement an activation-frame-length capability, which
would not be transferrable. And in the example I gave in my earlier reply,
the once-only algorithm would apply, and the
auto-revoke-upon-next-user-initiation would apply, but the timeout would at
best have a different meaning. It is interesting, and maybe informative, to
note that in my E apps so far, I have used once-only and
auto-revoke-on-next-initiation, but I haven't actually used a timeout or an
activation frame, so all my capability revocation machinery so far transfers
smoothly from centralized to distributed computing, and back again :-).

--marcs