On Mon, 2006-03-27 at 16:48 +0200, Tom Bachmann wrote: > > That is feasible, except that you lose confinement (i.e., the bit > > representation of capabilities is visible to the participants, so one > > can transfer capabilities off-line, e.g., over the phone) > > Right. But the point of "distributed caps" is that they are sent over > net, i.e. the bit representation is made visible.
The first statement is correct. The second is not. Make the links between the platforms encrypted. > So if you want confinement the app must not hold (transitively) a cap to > the forwarder (i.e. a wrapped "distributed cap"). The reason you need to wrap isn't security. The reason is that a capability to a particular page on a particular machine has no intrinsic meaning on any other machine. The only sensible interpretation of a distributed capability system in this context is where the "remoted" capability acts as a proxy for the real one. _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
