[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ConfirmPassword
From: |
Jonathan S. Shapiro |
Subject: |
Re: ConfirmPassword |
Date: |
Tue, 25 Oct 2005 21:12:00 -0400 |
On Tue, 2005-10-25 at 19:50 +0200, Martin Schaffner wrote:
> Hi, I have two questions concerning agents such as ConfirmPassword and
> OpenFile/SaveFile:
>
> * would it be possible to avoid the *requirement* that instantiators
> can not inspect instantiateds in the following way: If an application
> (A) wants to ask get a password-protected capability or a file system
> capability (which you suggest should be done with a trusted utility U
> such as ConfirmPassword), it has to contact a server S. So instead of
> giving A a capability to the constructor of U, we just give it a
> capability to S, which is trusted, and can't be inspected by A.
This would be an unfortunate design, because we now have a situation
where many programs have a common channel of communication, and one can
use this to implement denial of service and/or denial of resource on
another.
Avoiding this is why polyinstantiation is such a useful tool.
For the most part, sharing is a problem to be designed out, not a
feature to be encouraged. Sharing should only exist where it is driven
by the need to solve a concrete *user*-driven requirement.
shap