Re: Naive question Norman Hardy (
Mon, 21 Dec 1998 17:29:27 -0800

At 4:35 PM -0500 12/19/98, wrote:
>I was aware that the KeyKOS answer was "no". The question concerned
>rationale: is there a good synopsis of *why* this answer should be no?
>>Consider now two capabilities naming the same object with distinct
>>interfaces (e.g. a client capability and an administrator capability for
>>the same object). Are there negative security implications to being able
>>to ask the object-EQ question (i.e. do these two capabilities name the
>>object, irrespective of what authority they convey)?

Yes that is an entirely different question than what some of the answers were to. If I can see if two start keys are to the same domain, then that limits implementations that I am free to make now. In Keykos we considered the question of allocating facets to domains, an internal issue. (sorry to mix Keykos and Joule terminology.) If a "to the same domain" query were available that would have to part of the interface.

For most cases in suffices to ask the object if this here other key is also to you.

I vote NO.

Norman Hardy <>