> The answer is: you cannot, with or without confinement. First, just to get the
> terms straight, I assume that what you meant was:
> >Without confinement,
> >how is the statement that "A wrote **X**" supposed to be recorded in the
> >case of colluding A and B?
> That is, "A" and "B" are principals, and "X" is an object. Assume, for the sake
Well, that explains my confusion. I was wondering about domain A and domain/object B, and not about principals at all.
If A and B are at the mercy of the capability system for their current state, might it be possible to "back out" inappropriate communication after the fact, rather than to ensure that only appropriate communication was possible on every context switch? (in a distributed system, instead of requiring trusted code managing the keyspace mediating communication, could you allow direct communication between domains, but provide for audit when they wished to "commit"?)
I was inspired by a test system which, by postprocessing execution traces, could determine if data were being locked inconsistently in a multithreaded system. This seemed to be a counterpart to discretion: instead of proving beforehand that a set of domains would behave correctly, one could show afterwards that they had behaved incorrectly (and hence needed rework).
In other words: is it possible to allow limited key forgery while still retaining some of the benefits of a capability system? (can one be confident that domains have only used forged capabilities where they could have acquired legitimate ones?)
Now, if it is just as expensive to detect as to prevent, this is a pretty worthless idea. Also, if communication via data spaces is cheap enough, requiring intermediation only when actually exchanging keys may not be dear, and again this is a pretty worthless idea.
> which the confinement box can disclose things directly; the confinement contract
> is an *initial* contract; it's continuance depends on the actions of the client.
It sounds like you're saying here that confinement *would* help, if it weren't for the inconvenient fact that the users of a system live outside of the confinement?