> Sorry, I don't like this either, as it doesn't correspond to capabilities as
> found in any of KeyKOS, EROS, Trusty Scheme (unpublished), Rees' very
> similar independent W7/Scheme48 security kernel
> Actors, Joule, or E.
I may well have bungled my description, but what I have in mind corresponds exactly to what KeyKOS and EROS do. I *believe* that it corresponds to Rees, but I will go check. The advantage to the way I am trying to think about this is that it gives an account for why node and process keys can have signatures exposing completely different operations (i.e. not related by an obvious access relationship in the underlying theoretical protection model) and why such things should still, from a mathematical perspective, be considered capabilities.
If it helps, I'm thinking in terms of the way objects used to be handled in (I think) CLOS, where an object is a thunk closed over some representation that exports a method dispatcher. The main difference is that I allow multiple closures (interfaces) over the same representation. Perhaps CLOS did that too.
Jonathan S. Shapiro, Ph. D.
IBM T.J. Watson Research Center
Phone: +1 914 784 7085 (Tieline: 863)
Fax: +1 914 784 7595