l4-hurd
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Revocation vs destruction

From: Jonathan S. Shapiro
Subject: Re: Revocation vs destruction
Date: Fri, 14 Oct 2005 10:56:30 -0400 
On Fri, 2005-10-14 at 16:12 +0200, Marcus Brinkmann wrote:
> At Thu, 13 Oct 2005 22:04:20 -0400,
> "Jonathan S. Shapiro" <address@hidden> wrote:
> > 
> >   REVOCABLE COPY
> > 
> >                            L4     EROS/Coyotos  Notes
> >   Primitive?               Yes    No            [1,6]
> >   Delegatable revocation?  No     Yes           [3]
> 
> Just as a side note, _if_ you can make a copy of your capability, you
> could delegate the revocation right in L4 by deriving the revocable
> copy from your own copy, and then grant your copy to some other
> process.

This allows transfer of delegation authority, but not sharing of
delegation authority. This violates uniformity of mechanism: why should
this one right have this funny restriction when everything else operates
consistently?

The solution is to make the wrapping object (which exists implicitly in
L4 in the form of the database node) explicitly named by a capability,
but I think this would require a substantial re-think of L4sec's current
design.

I shall answer the remainder of your note in a little while -- I need to
run out.

shap
reply via email to
[Prev in Thread] Current Thread [Next in Thread]