[e-lang] [cap-talk] Non-Delegatable Authorities in Capability Systems

Mark Miller erights at gmail.com
Wed Dec 12 22:10:40 EST 2007

On Dec 12, 2007 6:23 PM, Toby Murray <toby.murray at comlab.ox.ac.uk> wrote:
> Thanks again for the clarification.
> At first glance, it appears that one needs to disallow (at least) the
> keywords
> method
> escape
> and stipulate that each vat runs a single turn only (in order to cover
> the case you pointed out in which one delegates a resolver and returns
> the corresponding promise).
> Would that be enough?

I'm not sure I see what the problem is. I understand and agree with
the first problem Kevin pointed out: the need to protect against
leakage of connectivity by other messages. As Kevin pointed out, this
corresponds to the difference between a Caretaker and a Membrane, and
is easily addressed in like manner.

But regarding the issue being discussed above, I think your paper as
is is already correct. The key is the code in your Figure 3, "An
implementation of NDA", only uses the results returned immediately by
.getNDAInvoc(). This prevents delegation by returning a promise and
passing the resolver. No further scheduling restrictions such as "each
vat runs a single turn only" seems necessary.

As for method and escape, again I see no problem. "escape" reifies
only the ability to return to the end of that escape block. Between
there and the end of the enclosing method, Bob is again in
non-delegatable control. In other words, even if Bob passes his
__return to someone else, Bob is still proxying rather than truly

Text by me above is hereby placed in the public domain


More information about the e-lang mailing list