[E-Lang] E FAQ

[Jonathan S. Shapiro]

> (I should say that it might also make sense to ask, not only
> how early does a capabilities *need* to be revoked, but also
> how early can we revoke it, i.e., how soon can we say that
> the callee will never need it again.  Lest the distinction
> seem unimportant, my interest in the latter is on POLA grounds.)

It is an error in the separation of duties for a provider to attempt to
discern when a consumer is done with a capability.

There are cases where we may sensibly say "the callee is no longer
*entitled* to this capability. An example would be where we pass a
capability to an object to a routine the computes the hash of that object,
and then wish to rescind access to the object in case the capability was
stored aside.

Otherwise, the decision to perform a rescind only makes sense in two cases:

    1. When volitionally destroying an object
    2. When enforcing a mandatory policy as above.