[prev in list] [next in list] [prev in thread] [next in thread]
List: e-lang
Subject: RE: [E-Lang] Authority -- what is its dual?
From: "Mark S. Miller" <markm () caplet ! com>
Date: 2001-10-23 4:10:23
[Download RAW message or body]
While appreciating your overall point, I try not to miss any opportunities
to pick nits, so...
At 04:50 PM 10/22/2001 Monday, Andreas Raab wrote:
>[...] it's pretty clear what
>you _mean_ here (e.g., nothing "dangerous" gets over the wire and nothing
>"dangerous" gets into E from Java) [...]
The second clause, about "into E from Java", is a fine first approximation.
The first clause, about "over the wire", isn't. Much of the point of
capabilities is to transmit dangerous things (like a purse containing money)
over the wire safely -- these dangerous things may only be abused (eg, by
spending) by those that have been given access to those dangerous things.
Whereas 'purse' is a PassByProxy dangerous thing, a ConstList containing
this purse, '[purse]' is itself one-level PassByCopy, Selfless (value-based
equality), Frozen (immutable), and Transparent (non-encapsulating), but is
no less dangerous than the purse. When passed, the copy that's received
contains a far reference to the same purse, which thereby grants the same
authority.
The point of having PassByCopy imply these other properties is so that
passing it by copy doesn't cause surprises, especially surprises that
compromise security. If we allowed encapsulated objects to be passed by
copy, a programmer could too easily be misled into not noticing that this
apparent encapsulation was compromised by transmitting the state to an
untrusted host. Whereas no one will be surprised that passing a '[purse]'
gives access to the purse.
Cheers,
--MarkM
_______________________________________________
e-lang mailing list
e-lang@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/e-lang
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic