At 01:43 PM 11/1/99 , Mark S. Miller wrote:
>When Drexler & I were writing the Agoric Open Systems papers, before we
>met Norm, we thought we had proven to ourselves that confinement and
>abstraction were not simultaneously possible in a capability system. As a
>result, the entirety of the agoric work back then assumed a world of
>capability security without capability confinement. At machine
>granularity, this remains the situation.
>All the distributed capability architecture we did at the WebMart project
>at Sun, and at EC Habitats at Communities.com relied only on capability
>security without confinement or partitioning.
Just to emphasize the point that capability security without confinement is quite useful, here are some further examples of programs or protocols that need security but don't need confinement:
None of which necessarily addresses Jonathan's objections, as I'm only making a tenuous inference that his distributed "partitioning" has the same possibility constraints as confinement. This remains to be established.