Re: Amoeba's approach to capabilities

[Jonathan S. Shapiro]

On Mon, 2005-10-10 at 14:55 +0200, Ludovic Courtès wrote:
> > There is no possibility of
> > implementing a capability system without a trusted kernel (or runtime).
> > *Something* has to provide basic isolation enforcement. If you don't
> > have this, then you cannot protect the cryptography, and if you can't
> > protect that you have no protection at all in the kind of system you are
> > contemplating.
> 
> Ok.  This is not a problem for an OS or language run-time.  However,
> this means that collaboration in a fully decentralized way (various
> machines on the Internet) cannot rely on a protected capability system.
> Unless a "trusted kernel" is distributed among the participants, for
> instance in the form of "trusted hardware" (which is IMO an oxymoron,
> but that's another story).

This is correct -- except that I don't think this is an oxymoron. We're
working on doing that very thing. Please continue to be skeptical until
(and after) we can demonstrate it.

And I agree that it is ironic. I think there are many open issues to be
solved in bootstrapping trust. Humans, obviously, do not rely on
absolute trust in this same sense. Somebody needs to explore how we can
construct reliance in a similar fashion in computational systems.


shap