Forking a child per-request is more overhead than many users find acceptable.
As regards the semantics, the basic premise is that a lock (or perhaps more appropriately a key) object be required to unlock it. That object is then not exposed to untrusted code. That reduces the risk to one of malicious code that can guess the location in memory of the key. -- This message posted from opensolaris.org
