Several sorts of objects in Keykos have a sever operation. The operation is either an order on the object itself, or on the source of the object. The difference is mainly historical.

The source of page keys, at the bottom is the range key, a kernel object. The space bank recycles page frames by asking the range key to put zeros in the frame and ‘change the lock’, sort of what happens when you check out of a motel. The range key is especially equipped to do this for it can zero the page without reading the page from disk. It changes the lock by incrementing the allocation count thus invalidating all extant keys. The new page key with the new allocation count is returned. When the bank hands this page out again it will be a ‘new page’ and the new owner will have the sole key to the new page, until he gives it to someone else.

It was observed that it would be just an extra few lines of code for the range key to obey a new sever command to change the lock but omit zeroing the page. The key with the new allocation is returned. The same logic applies to nodes.

A higher level use of sever is to produce an immutable object after a period in which it was writable. The charter of program X is to produce the immutable segments. X creates a segment and passes the write key thereto to various programs that write useful data on segments for a living. When this is done X severs the segment by severing the node key thereto, creates a RO version of the new segment key, looses the RW key to the segment, (or stashes it away if destroy segment authority is retained,) and delivers the key to the new immutable segment. This saves copying the data into a new segment keys to which had not been disseminated. X may discover that some one of the programs has already deleted the segment, but it is easy to learn who. The program that deleted the segment is clearly outside its charter; that program was already presumably trusted to write useful data, but not necessarily trusted not to keep the segment key.

The same logic applies to objects defined by user mode code which is obeyed by a domain. Such programs generally have access to their own creator and can ask the creator to sever keys to the domain. As in the segment example the domain may be entering a new life stage, like an insect, and no longer wishes to respond to calls from objects that were functional in its developmental period. It is rather like getting a new phone number.

That sever was not a security flaw was seen because it is semantically the same as buying a new page, or node, and copying stuff from the old to the new, and then deleting the old page or node.