[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Distributed Capabilities
From: |
Jonathan S. Shapiro |
Subject: |
Re: Distributed Capabilities |
Date: |
Mon, 27 Mar 2006 14:05:09 -0500 |
On Mon, 2006-03-27 at 14:57 +0200, Ludovic Courtès wrote:
> Hi,
>
> Tom Bachmann <address@hidden> writes:
>
> > As described in one of my mails [1] to coyotos-dev and somewhere on
> > the E language homepage [2] it is possible to implement transparent
> > "remote" capabilities, i.e. caps that are invoked like normal local
> > ones but that actually invoke servers on other machines over the
> > net.
>
> That is feasible, except that you lose confinement (i.e., the bit
> representation of capabilities is visible to the participants, so one
> can transfer capabilities off-line, e.g., over the phone), unless you
> consider that some ``trusted kernel'' hides that representation to
> applications on both ends. This is what is proposed in [0] where the
> trusted thing is the language runtime running on both ends.
Actually, it's a very old idea. It's been proposed for KeyKOS and EROS,
and it goes back at least to DCCS (1976).
Either you have a trust agreement between the kernels, or no distributed
security story is possible in principle. Doesn't matter if it is
capabilities or something else.
> However, in practice, as Marcus said, everyone is free to run whatever
> OS they may like.
Not necessarily. This is an example of one of the *valid* uses of remote
attestation. Attestation gives me the ability to form my associations
with other people selectively. The right to assemble selectively is a
fundamental freedom that is currently not supported in computational
systems.
> [0] http://www.erights.org/elib/capability/dist-confine.html
E is a bit different, because it can at least trace exposure to a
particular machine and test consequences of partial security failures.
shap
- Re: SSH revised, (continued)
- Distributed Capabilities, Ludovic Courtès, 2006/03/27
- Re: Distributed Capabilities, Tom Bachmann, 2006/03/27
- Re: Distributed Capabilities, Jonathan S. Shapiro, 2006/03/27
- Re: Distributed Capabilities, Tom Bachmann, 2006/03/27
- Re: Distributed Capabilities, Eric Northup, 2006/03/27
- Re: Distributed Capabilities, Ludovic Courtès, 2006/03/27
- Re: Distributed Capabilities, Eric Northup, 2006/03/27
- Re: Distributed Capabilities, Ludovic Courtès, 2006/03/28
- Re: Distributed Capabilities,
Jonathan S. Shapiro <=
- Re: Distributed Capabilities, Marcus Brinkmann, 2006/03/28
- Re: Distributed Capabilities, Jonathan S. Shapiro, 2006/03/28
- Re: Distributed Capabilities, Marcus Brinkmann, 2006/03/28
- Re: Distributed Capabilities, Jonathan S. Shapiro, 2006/03/28
- Re: Distributed Capabilities, Marcus Brinkmann, 2006/03/28