|
| From: | Tom Bachmann |
| Subject: | Re: Distributed Capabilities |
| Date: | Mon, 27 Mar 2006 21:17:56 +0200 |
| User-agent: | Mozilla Thunderbird 1.0.7 (X11/20051031) |
Jonathan S. Shapiro wrote:
On Mon, 2006-03-27 at 16:48 +0200, Tom Bachmann wrote:That is feasible, except that you lose confinement (i.e., the bit representation of capabilities is visible to the participants, so one can transfer capabilities off-line, e.g., over the phone)Right. But the point of "distributed caps" is that they are sent over net, i.e. the bit representation is made visible.The first statement is correct. The second is not. Make the links between the platforms encrypted.
still the other machine has to be trusted (OK, passing a cap to an untrusted entity hoping it doesn't spread is is stupid). I was confused by the "send by phone" statement, that is possible now.
So if you want confinement the app must not hold (transitively) a cap to the forwarder (i.e. a wrapped "distributed cap").The reason you need to wrap isn't security. The reason is that a capability to a particular page on a particular machine has no intrinsic meaning on any other machine. The only sensible interpretation of a distributed capability system in this context is where the "remoted" capability acts as a proxy for the real one.
Hm, I'm not sure if we're talking about the same issue. In my scenario the forwarder wraps every cap to another machine, so it can be invoked locally.
I think now I am a bit confused about who can trust whom and what breaks confinement and what not in a network environment :)
-- -ness-
| [Prev in Thread] | Current Thread | [Next in Thread] |