On Thu, May 25, 2006 at 11:02:07AM +0200, Michal Suchanek wrote: > >> I don't see how your proposal enables a process to check anything > >> accurately and in a tamperproof way about it's environment. In your > >> model, it is mandatory for a process to trust all of it's parents. > >> > >> In the ping or competition case, that's not possible. > > > >It is. The parent space bank is the user session, which is not under user > >control. > > In your proposal the user can choose to run the program in opaque > storage. But the administrator cannot choose to set up a program that > can be run only in opaque storage to ensure its integrity (much like > suid programs on unix).
He can. My proposal (which, for clarity, I'd prefer not to need. But if we need opaque storage I think this is the way to implement it) makes opaque storage possible. A constructor is simply a service which starts a program. No special features are needed for it. A constructor which allows running on opaque user provided storage of course needs a way for the user to provide opaque storage (and for the constructor to check it). That's what the proposal provides. Implementing a constructor around it which works identical to constructors in Jonathan's proposal is trival. Thanks, Bas -- I encourage people to send encrypted e-mail (see http://www.gnupg.org). If you have problems reading my e-mail, use a better reader. Please send the central message of e-mails as plain text in the message body, not as HTML and definitely not as MS Word. Please do not use the MS Word format for attachments either. For more information, see http://129.125.47.90/e-mail.html
signature.asc
Description: Digital signature
_______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
