Re: ANN: ANTS v2.0

[Patrick Tullmann <tullmann@cs.utah.edu>]

Sandy Murphy wrote:
> We bound the identity to the capsule as it was class loaded so the
> protection domain the capsule executed in contained the identity.

Does that associate identity with the type of the capsule or with the
instance of the capsule?  (I'm assuming that two different instances
of PingCapsule could have different identities, so the above is a bit
confusing.)

> In the Node architecture ideal, the NodeOS could do the
> authentication check and assign the packet to a "resource domain"
> (whose identities were established on resource domain creation).
> Each NodeOS call from the EE is supposed to contain the "resource
> domain" ID, so the NodeOS can mediate all protected services on the
> basis of the "resource domain"s identities.  (Which, by the way,
> makes EE's pretty darned trusted parts of this system.)

If this support existed in the NodeOS, it should be pretty
straightforward to add to ANTS, I hope (just adding an extra parameter
to a lot of methods).  And, hopefully, it wouldn't require tossing out 
the existing access checks (which are mostly ANTS-specific checks).

> So the AA running in ANTS tells ANTS when its privileges need to be
> lowered?  Isn't that putting a lot of trust in the AA?

Yeah, probably too much.

-Pat

----- ----- ---- ---  ---  --   -    -      -         -               -
Pat Tullmann                                       tullmann@cs.utah.edu
	    He who dies with the most toys is still dead.