Re: cap exchange race with map/unmap

Wed, 19 Oct 2005 09:09:31 -0700 

At Wed, 19 Oct 2005 09:52:40 +0200,
[EMAIL PROTECTED] (Ludovic Courtès) wrote:
> 
> Hello,
> 
> Marcus Brinkmann <[EMAIL PROTECTED]> writes:
> 
> > At Tue, 18 Oct 2005 14:27:56 -0400,
> > "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote:
> >
> > [A broken protocol snipped]
> >
> >> I believe that the only possible protocol that could be correct is for
> >> all object servers to return by way of CapServer.
> >
> > I agree.  This is exactly what I proposed in my talk in Dijon.
> >
> > The server maps a revocable copy to the cap server.  The cap server
> > maps another revocable copy to each client.
> 
> Marcus, how is this different from what Jonathan described in
> <[EMAIL PROTECTED]>, that is:
> 
>   In the absence of any authority to fabricate new capabilities, the
>   following chain of mappings is now in effect after the exchange:
> 
>         RevCopy                RevCopy
>      A ----------> CapServer -----------> B
 
Here, A and B are clients.  Let me draw you a picture of the only
solution I know, which also Shapiro mentioned above:

Before copy operation:

           RevCopy               RevCopy
Server S ----------> CapServer -----------> A

After A initiated the copy operation to B:

           RevCopy               RevCopy        RevCopy
Server S ----------> CapServer -----------> A ----------> B

After B initiated the copy operation from the cap server.

           RevCopy               RevCopy        RevCopy
Server S ----------> CapServer -----------> A ----------> B
                             ^                            |
                             |           RevCopy          |
                             +----------------------------+

The revocable copy from B to the cap server proves to the cap server
that B possesses the capability, and furthermore allows the cap server
to identify the capability to copy in the first place!

At the end of copy operation:

           RevCopy               RevCopy        RevCopy
Server S ----------> CapServer -----------> A ----------> B
                             |                            ^
                             |           RevCopy          |
                             +----------------------------+

The copy from B to the cap server has been removed.  It's not needed
anymore.

After the copy operation:

           RevCopy               RevCopy
Server S ----------> CapServer -----------> A
                             |
                             |   RevCopy
                             +------------> B

The copy from A to B has been removed.  It is not needed anymore.  Now
A and B have a co-equal copy.

Thanks,
Marcus



_______________________________________________
L4-hurd mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/l4-hurd

Reply via email to