From: marcs <>
Replying To: Hal Finney <>
Date: Thu, 28 Nov 2002 10:33:49 -0700
Subject: Re: [e-lang] "Capability Myths Demolished" (was: Software security workshop)

> Now it may still be true that in practice, capability systems have far
> finer granularity even than my Linux system with its 20-odd accounts.
> I could imagine a Linux system with perhaps 100 or even 1000 accounts;
> but not one with a million accounts, and perhaps a capability system
> could have that many or more capabilities in action over a period of time.

I think you are right that the explication in the paper needs to be clarified,  
but I'd like to point out that in E programs the idea of millions of 
individual actors each with in a separate POLA confinement is not merely 
possible, but inescapable: each object lives inside its own trust domain with 
its own set of references/capabilities. So any program that has a million 
objects has a million separate trust realms. These separate trust realms can 
be grouped by strong similiarities (each object created from the same 
constructor shares a lot of the same capabilities), but they truly are 
separate trust realms nonetheless.

e-lang mailing list