Re: Part 2: System Structure

[Pierre THIERRY]

Scribit Bas Wijnen dies 23/05/2006 hora 20:53:
> This capability also allows checking that these banks are opaque.

In all your scenario, you seem to omit something: without the
constructor mechanism, no process can verify anything accurately about
any other process, except if all of the parents of it are to be trusted.

That is, except for a process spawned by the TCB, no capability can be
trusted not to be faked or sniffed. And AFAIK, there is no mean for a
process to check that it has been spawned by the TCB.

But when a process is spawned by a constructor and given some
capabilities to the TCB that the requestor cannot spy or alter, it is be
given the ability to check properties of it's environment accurately.

Am I wrong on anything here?

Curiously,
Nowhere man
-- 
address@hidden
OpenPGP 0xD9D50D8A

signature.asc
Description: Digital signature