… but points to a general use case: One of the attractions of clean object capability models is that any operation can be transparently virtualised. If an original cap can be derived, but a derived one cannot, then this breaks transparency at some point.
I can't see the relationship between derivation and virtualisation of object invocation? A level of indirection can be obtained by substitution of a real object reference, and a "virtual" object reference. It's length of chains of delegation that we have compromised on, more specifically control of the scope of revocation of delegation.
There’s the old saying that in CS there are only three valid constants: zero, one and infinity. We have a two in there, which clearly smells badly.
I thought that is what I implied. We have two valid constants and no invalid ones :-) The addition of infinity is what one wants in the ideal. Though I'd argue that if you can design your user-level system to only need zero and one, one can avoid taking the space hit for infinity in the kernel. The move to 64-bit may actually free up enough space in caps to implement an infinity, which would be pretty compelling if it came for "free". - Kevin ________________________________ The information in this e-mail may be confidential and subject to legal professional privilege and/or copyright. National ICT Australia Limited accepts no liability for any damage caused by this email or its attachments.