On Tue, 2005-10-25 at 19:50 +0200, Martin Schaffner wrote: > Hi, I have two questions concerning agents such as ConfirmPassword and > OpenFile/SaveFile: > > * would it be possible to avoid the *requirement* that instantiators > can not inspect instantiateds in the following way: If an application > (A) wants to ask get a password-protected capability or a file system > capability (which you suggest should be done with a trusted utility U > such as ConfirmPassword), it has to contact a server S. So instead of > giving A a capability to the constructor of U, we just give it a > capability to S, which is trusted, and can't be inspected by A.
This would be an unfortunate design, because we now have a situation where many programs have a common channel of communication, and one can use this to implement denial of service and/or denial of resource on another. Avoiding this is why polyinstantiation is such a useful tool. For the most part, sharing is a problem to be designed out, not a feature to be encouraged. Sharing should only exist where it is driven by the need to solve a concrete *user*-driven requirement. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
