[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Distributed Capabilities
From: |
Jonathan S. Shapiro |
Subject: |
Re: Distributed Capabilities |
Date: |
Mon, 27 Mar 2006 14:07:16 -0500 |
On Mon, 2006-03-27 at 16:48 +0200, Tom Bachmann wrote:
> > That is feasible, except that you lose confinement (i.e., the bit
> > representation of capabilities is visible to the participants, so one
> > can transfer capabilities off-line, e.g., over the phone)
>
> Right. But the point of "distributed caps" is that they are sent over
> net, i.e. the bit representation is made visible.
The first statement is correct. The second is not. Make the links
between the platforms encrypted.
> So if you want confinement the app must not hold (transitively) a cap to
> the forwarder (i.e. a wrapped "distributed cap").
The reason you need to wrap isn't security. The reason is that a
capability to a particular page on a particular machine has no intrinsic
meaning on any other machine. The only sensible interpretation of a
distributed capability system in this context is where the "remoted"
capability acts as a proxy for the real one.
- Re: SSH revised, (continued)
Re: SSH revised, Tom Bachmann, 2006/03/24
Re: Distributed Capabilities, Eric Northup, 2006/03/27
Re: Distributed Capabilities, Ludovic Courtès, 2006/03/27
Re: Distributed Capabilities, Eric Northup, 2006/03/27
Re: Distributed Capabilities, Ludovic Courtès, 2006/03/28
Re: Distributed Capabilities, Jonathan S. Shapiro, 2006/03/27
Re: Distributed Capabilities, Marcus Brinkmann, 2006/03/28
Re: Distributed Capabilities, Jonathan S. Shapiro, 2006/03/28
Re: Distributed Capabilities, Marcus Brinkmann, 2006/03/28
Re: Distributed Capabilities, Jonathan S. Shapiro, 2006/03/28