At Fri, 10 Jun 2005 15:38:27 +0200, Bernhard Kauer wrote:
There is a grant problem. If a client X grant an object to Y and X dies, this does not mean, that the reference to the object is released...
Of course it does, X died and as a result the reference monitor gets a task death notification. If Y required the object beyond X's death, it should have gotten its own reference but that is a different problem.
Situation: S -> C -> (1 reference) A -> B
Goal: /-> (1 reference) A S-> C -> (1 reference) B
In your scenario both clients A and B have to cooperate with C
C needn't trust either A or B.
If client A asks the server C to map something it already has, from C to a client B, only the clients have to trust C to provide this service. The server C needn't trust its clients for this operation...
Right, that's the point. C is part of A and B's TCB; C does not trust either A or B.