Re: Design principles and ethics (was Re: Execute without read (was [...]))

[Bas Wijnen]

On Sun, Apr 30, 2006 at 10:03:30AM -0400, Jonathan S. Shapiro wrote:
> > > It is also not confinement if the parent can read the child without the
> > > consent of the child. Therefore it is not confinement at all.
> > 
> > I have two problems with this statement. a) Every process has been
> > instantiated by /someone/, so every process has a parent. b) i agree
> > with you that this is not confinement, but the parent *may* confine the
> > child by dropping all references to it.
> 
> Yes, the parent can do that. No, it is NOT confinement. Confinement is
> when we know that the parent MUST drop all references, by virtue of
> being trusted.

That is what marcus calls non-trivial confinement.  In case of trivial
confinement, _only_ the parent is actually interested in the child being
confined.  So it doesn't matter at all if the parent has access.  It's simply
irrelevant.

Since all interesting properties of confinement (given the restrictions that
come with the "trivial" part) are present, it makes a lot of sense to call
this "confinement".  It also makes sense to distinguish it from confinement in
general, since it's only a special case.  Because it's trivial to do (put the
code somewhere and make it run), "trivial confinement" isn't even a bad name.

Actually, I think Marcus called it "trivial" because he thought it was trivial
to see that this did indeed result in a confined child.  I agreed (and I still
do), but you don't seem to. :-)

Thanks,
Bas

-- 
I encourage people to send encrypted e-mail (see http://www.gnupg.org).
If you have problems reading my e-mail, use a better reader.
Please send the central message of e-mails as plain text
   in the message body, not as HTML and definitely not as MS Word.
Please do not use the MS Word format for attachments either.
For more information, see http://129.125.47.90/e-mail.html

signature.asc
Description: Digital signature