We are turning in circles. This is exactly the same model as you suggested in your first reply. And it is exactly the model I have already tried to implement, and that we rejected because of performance, wrong security properties, impossibility of transparent interposition, code complexity, etc.
I forgot to explain why I switched back to the initial model. We have here 2 models in our discussion:
1. Using a 1:1 mapping between objects and endpoints. This requires a cmp() function.
2. Using the features of L4.sec (local names, endpoints and badges) to implement a capability system in user-level.
We all agree that the first one can be build, looking from a functional point of view. This does not mean that it is the best solution.
Or in other words some disadvantages (waste kernel memory, needs an additional kernel operation,...) leads to the question whether the second model could also be built.
Perhaps we should split the discussion here and try to answer in one thread the question of the first model (e.g. why cmp() and not map_lookup(),...) and in another one the problems with the second model you mention in your last mail.
Bernhard