> -----Original Message-----
> From: Mark S. Miller [mailto:markm@caplet.com]
> Sent: Sunday, July 09, 2000 10:24 AM
> To: Karp, Alan
> Cc: 'Norman Hardy'; 'e-lang@eros-os.org'
> Subject: RE: Split Capabilities: Making Capabilities Scale
>
>
> At 08:30 AM 7/6/00 , Karp, Alan wrote:
> >... the e-speak Protection Domain, an
> >e-speak resource which defines the part of the universe
> accessible to the
> >user. It contains the e-speak root name frame, which
> defines the user's
> >name space, and a mandatory key ring, basically a set of
> capabilities that
> >get presented on every request. In general, there are
> capabilities on this
> >key ring that the user cannot remove. This latter feature
> enables us to
> >enforce "negative permissions", capabilities that deny
> access to certain
> >resources.
>
> If you indeed have a way to enforce negative permissions
> across a mutually
> mistrustful distributed system, I would be very impressed.
> If the user has
> access to his own hardware, how is he prevented from removing
> the negative
> capabilities on his mandatory key ring?
>
>
> Cheers,
> --MarkM
>
First of all, one e-speak machine cares not a hoot for resources on another machine. Hence, the negative capability is applied only on the machine owning the resource. Its presentation is enforced because all remote users access local resources through a local proxy having a protection domain controlled by the local system. On the local system, we rely on separation of address spaces. If we don't have that, all bets are off. The protection domain and mandatory key ring are kept in the engine address space.