> difference. The most
> important symptom of the difference is in the
> cryptographic encoding of a
> capability. Droplets and E both use the swiss
> number technique. E also
> has the VatID
> specifically to deal with inter-Vat mutual
> suspicion -- not an issue with
I think I am understanding something here that I didn't before. Are you suggesting that inter-Cistern communication is not possible? If so, then I need to disagree.
If you wish, you can consider your web browser to be another Cistern that is communicating with the Cistern on my server. This communications link obeys capability semantics.
Similarly, another actual Cistern would communicate with another actual Cistern in the same way. SSL, using the existing PKI, with swiss number based external caps.
To make an analogy to the E case, the web site name is the VatID. Using the existing PKI, we can validate the encryption key given by the site. Granted, using the existing PKI sucks compared to E's VatID, but on the other hand, the existing PKI exists.
The only thing I can't do is prevent Cisterns on the same machine from colluding. For that matter, I can't stop any Java object from colluding with another. The only secure interface that I have is precisely the one that I think your comment suggests isn't there.