Marcus:

Please re-send using the more careful notation. I suspect that you
aren't getting out the revocation hierarchy that you think you are.
Whether I am right or wrong, it is better to be sure.

shap


On Wed, 2005-10-19 at 15:10 +0200, Marcus Brinkmann wrote:
> At Wed, 19 Oct 2005 09:52:40 +0200,
> [EMAIL PROTECTED] (Ludovic Courtès) wrote:
> > 
> > Hello,
> > 
> > Marcus Brinkmann <[EMAIL PROTECTED]> writes:
> > 
> > > At Tue, 18 Oct 2005 14:27:56 -0400,
> > > "Jonathan S. Shapiro" <[EMAIL PROTECTED]> wrote:
> > >
> > > [A broken protocol snipped]
> > >
> > >> I believe that the only possible protocol that could be correct is for
> > >> all object servers to return by way of CapServer.
> > >
> > > I agree.  This is exactly what I proposed in my talk in Dijon.
> > >
> > > The server maps a revocable copy to the cap server.  The cap server
> > > maps another revocable copy to each client.
> > 
> > Marcus, how is this different from what Jonathan described in
> > <[EMAIL PROTECTED]>, that is:
> > 
> >   In the absence of any authority to fabricate new capabilities, the
> >   following chain of mappings is now in effect after the exchange:
> > 
> >         RevCopy                RevCopy
> >      A ----------> CapServer -----------> B
>  
> Here, A and B are clients.  Let me draw you a picture of the only
> solution I know, which also Shapiro mentioned above:
> 
> Before copy operation:
> 
>            RevCopy               RevCopy
> Server S ----------> CapServer -----------> A
> 
> After A initiated the copy operation to B:
> 
>            RevCopy               RevCopy        RevCopy
> Server S ----------> CapServer -----------> A ----------> B
> 
> After B initiated the copy operation from the cap server.
> 
>            RevCopy               RevCopy        RevCopy
> Server S ----------> CapServer -----------> A ----------> B
>                              ^                            |
>                              |           RevCopy          |
>                              +----------------------------+
> 
> The revocable copy from B to the cap server proves to the cap server
> that B possesses the capability, and furthermore allows the cap server
> to identify the capability to copy in the first place!
> 
> At the end of copy operation:
> 
>            RevCopy               RevCopy        RevCopy
> Server S ----------> CapServer -----------> A ----------> B
>                              |                            ^
>                              |           RevCopy          |
>                              +----------------------------+
> 
> The copy from B to the cap server has been removed.  It's not needed
> anymore.
> 
> After the copy operation:
> 
>            RevCopy               RevCopy
> Server S ----------> CapServer -----------> A
>                              |
>                              |   RevCopy
>                              +------------> B
> 
> The copy from A to B has been removed.  It is not needed anymore.  Now
> A and B have a co-equal copy.
> 
> Thanks,
> Marcus
> 



_______________________________________________
L4-hurd mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/l4-hurd

Reply via email to