On Mon, 2006-03-27 at 14:57 +0200, Ludovic Courtès wrote: > Hi, > > Tom Bachmann <[EMAIL PROTECTED]> writes: > > > As described in one of my mails [1] to coyotos-dev and somewhere on > > the E language homepage [2] it is possible to implement transparent > > "remote" capabilities, i.e. caps that are invoked like normal local > > ones but that actually invoke servers on other machines over the > > net. > > That is feasible, except that you lose confinement (i.e., the bit > representation of capabilities is visible to the participants, so one > can transfer capabilities off-line, e.g., over the phone), unless you > consider that some ``trusted kernel'' hides that representation to > applications on both ends. This is what is proposed in [0] where the > trusted thing is the language runtime running on both ends.
Actually, it's a very old idea. It's been proposed for KeyKOS and EROS, and it goes back at least to DCCS (1976). Either you have a trust agreement between the kernels, or no distributed security story is possible in principle. Doesn't matter if it is capabilities or something else. > However, in practice, as Marcus said, everyone is free to run whatever > OS they may like. Not necessarily. This is an example of one of the *valid* uses of remote attestation. Attestation gives me the ability to form my associations with other people selectively. The right to assemble selectively is a fundamental freedom that is currently not supported in computational systems. > [0] http://www.erights.org/elib/capability/dist-confine.html E is a bit different, because it can at least trace exposure to a particular machine and test consequences of partial security failures. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
