[coyotos-dev] Explicit Persistence Considered Harmful
Charles Landau
clandau at macslab.com
Wed Aug 20 16:26:42 CDT 2008
Jonathan S. Shapiro wrote:
> On Wed, 2008-08-20 at 13:49 -0700, Charles Landau wrote:
>>> The type of reconnection provided by open (or by device keys in KeyKOS)
>>> is more or less what I was thinking about, except that I had in mind
>>> some vague sort of scheme in which the opening party must reconnect
>>> (open) via some server that is in a position to determine that the
>>> opening party is authorized (e.g. by some form of persistent process
>>> identity
>> Of course, you want to avoid IBAC.
>
> Depends on the identity. Identity of system entities such as processes
> is not really a problem, provided those identities are sufficiently well
> protected.
That's not sufficient to avoid the confused deputy problem.
Fortunately the scheme below does not rely on identities.
>> It seems to me you need a durable capability for each non-durable
>> capability. The difference between the two is that the non-durable
>> capability is rescinded on restart, giving the client the clue to use
>> the durable capability to reestablish the non-durable capability and the
>> consistency it implies.
>
> Yes, except that you don't need durable capabilities for non-durable
> objects.
More information about the coyotos-dev
mailing list