From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,bc1361a952ec75ca X-Google-Attributes: gid103376,public X-Google-ArrivalTime: 2001-09-06 09:35:32 PST Path: archiver1.google.com!newsfeed.google.com!newsfeed.stanford.edu!canoe.uoregon.edu!cyclone1.gnilink.net!news-east.rr.com!cyclone.kc.rr.com!news.kc.rr.com!news-west.rr.com!lsnws01.we.mediaone.net!typhoon.san.rr.com!not-for-mail Message-ID: <3B97A5C7.3ED71528@san.rr.com> From: Darren New Organization: Boxes! X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 Newsgroups: comp.lang.ada Subject: Re: Progress on AdaOS References: <3b95d429.592218@news.cis.dfn.de> <3B9654AE.CD4382ED@san.rr.com> <3b9768b6.1671036@news.cis.dfn.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Date: Thu, 06 Sep 2001 16:35:21 GMT NNTP-Posting-Host: 24.165.20.112 X-Complaints-To: abuse@rr.com X-Trace: typhoon.san.rr.com 999794121 24.165.20.112 (Thu, 06 Sep 2001 09:35:21 PDT) NNTP-Posting-Date: Thu, 06 Sep 2001 09:35:21 PDT Xref: archiver1.google.com comp.lang.ada:12812 Date: 2001-09-06T16:35:21+00:00 List-Id: > That's not safe, because the "password" and the code that checks can > be faked. Well, you have to make sure that doesn't happen. Certainly something like a capability to a file is going to be checked by the file server/process, not by the application trying to open the file. > It is generally no problem if object's code is executed on the > caller's context. An exception may in worst case destroy the caller. Well, uh, .... obviously a capability is an access control mechanism. You don't have access control protecting you from yourself. So a system using capabilities is going to have some alternate access controls (such as memory mapping or compiled-in array bounds checking, etc) that keeps you from simply inspecting the code of the process that actually supplies the service denoted by the capability. Check out the EROS web site. Your objections don't make any sense in context. And I can't figure out what context they would make sense in. > But definitely there should be objects with methods executed on some > more privileged context, no matter if the object itself exists in the > caller's one. Well, maybe not "more privledged". Maybe "differently privledged". -- Darren New San Diego, CA, USA (PST). Cryptokeys on demand.