On Tue, 2005-10-18 at 14:55 +0100, Neal H. Walfield wrote: > At Tue, 18 Oct 2005 08:42:55 -0400, > Jonathan S. Shapiro wrote: > > In order to implement the protocol that you describe, the cap server > > requires: > > > > a) sufficient authority to inspect the content of every capability > > I am not sure that this much authority is required depending on the > design of the server. (See below.) > > > b) sufficient authority to fabricate any capability (because it > > must be able to exchange any capability). > > I take issue with the any "qualifier" here. The cap server needs to > be able to exchange any capability that is *manages*.
Please name a capability that does not require this management? > [I]f there was a system call which allowed the caller to check if a > mapping was derived from another mapping in the same address space, > then we can use that to "unroll" mapping loops like the one in the > first scenario, i.e. Server -> Client -> Server, or in the second, > i.e. Server -> Reference Counter -> Client A -> Client B -> > Reference Counter.[1] > > The requirement is that capabilities which can be exchanged must be > registered with a mutually trusted capability server. I don't think that this is right. The capability server must have sufficient authority to obtain a capability that will not be invalidated when the process that instantiated the object exits. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
