Security Properties of Distributed Platforms

The trust properties of systems described here can be described as follows. If one of the sites is compromised then signals from that site can cause capabilities conceptually held by some object at that site to be abused. Capability discipline at that site disappears but capabilities that never traveled to that site cannot be abused. Applications are in a position to manage which sites they operate at. Logic in the code that generates the application or instances of objects within the application can elect the sites where they will materialize. Some objects of the application that do not need dangerous capabilities may be allowed to run at less trusted sites.

Vulnerability to your Platform

It seems obvious that when a program with some effective authority runs on a platform, then that authority is accessible to the platform. Lacking a precise definition of platform I can’t prove this. Here are a few examples of “platform”: Each of these systems can serve the needs of guest programs and is in a position to seize and abuse the authority of those programs.

I think that a central processor within a computer is also capable of doing this but perhaps only in an environment where untrusted confederate code is allowed.

These same points are made from a bit different perspective in Capabilities As A Cryptographic Protocol.