Simplex Signal Streams

<title>Simplex Signal Streams</title>
<a href=../Factory.html>Factories produce Discreet objects</a>.
Tyler Close wondered if a factory yield could accept notifications from outside, in the sense of call-back.
The following is a general pattern that allows a <a href=http://eserver.bell.ac.uk/mirrors/dc100www/dc_014.htm>simplex</a> stream of signals that flow into a discreet compartment.
If the signals are delivered promptly they can herald external events which is some of the purpose of call-backs.
Such signals can also carry sensory keys and data.
<p><a href=Notifier.html>My first design</a> does not require kernel design mods but I am unhappy with it.
It could be improved with the current kernel design.
We examine another design here that relies on <a href=retr.html>proposed kernel design changes</a> and is rather more efficient and natural.
We presume in this design that the recipient of a stream may not impede the sender.
This means that signals may be lost but the recipient may choose to sense such loss.
<p>In this design the publisher of the signal stream holds a set of start keys to subscribers.
When there is a new signal it forks each subscriber start key with the signal, which may include data and keys, but refuses to block on busy subscribers.
<p>This design does not provide an information diode since keys may be passed in the stream that allow signals in the opposite direction.
<p>A new generic <b>broadcaster</b> object type could specialize in broadcasting these streams.
This would also allow silently subscribing to a stream, invisibly to the publisher if the broadcaster retains its independence.
<p>A variation on a broadcaster would certify that each key in each message of the stream was sensory.
Such streams could safely lead into discreet compartments built by factory logic.
<h3>Genesis of Arrangement</h3>
We have described a safe arrangement above.
For a confined object that receives a stream of signals, how do we get to that arrangement so that the stake holders are properly assured?
<p>The new sort of arrangement is for a start key for some component of a confined object to be registered with an unconfined but mutually trusted brand of object, a broadcaster in this case.
Only the author of the factory, who holds the factory builder’s key, is in a position to create a version of the broadcaster suitable for the job.
The builder could make the registration key for the broadcaster available along with the factory requestor’s key.
The requestor could test the brand of the broadcaster key to assure that the brand is the one he trusts and then the requestor could call the nascent factory yield to acquire the confined notifiee start key and register that with the broadcaster.
When the requestor invokes the broadcaster he specifies that signals be sensory.
<p>This scenario assures the requestor that the factory yield is effectively confined, but gives the requestor too much authority—namely the key to the broadcaster which might provide a signal stream that is proprietary to the builder.
It also increases the complexity of the task of the requestor.
<p>If the registration key to the broadcaster could be added as a factory component then initialization code could register the confined listener.
The registration code is part of the trusted object so it need not and will not leak signals from the confined world.
The registration key does not come under <a href=../Factory.html#cat>any suitable excuse for a new factory component</a> however.
Since the logic of the builder’s code invokes the registration key it is necessary to ensure that that particular key is good only for registering sensory listeners.
In short the registration key is safe because it invokes trusted code, not confined code.
It is an instance of an object parameterized by the builder and is therefor not merely a well known trusted hole.
This particular broadcaster broadcasts a stream private to the builder.
It is trusted even though it has been parameterized.
A plausible ‘component’ would be a predicate object built by the trusted broadcast author that could be a well known hole.
The predicate takes a key that claims to be a registration key for sensory streams and verifies as much.
Somehow the factory logic would have to know to test the registration key against the predicate before allowing the registration key to be accessible in the confined world.
There is plenty of room for the builder to instruct the factory of this relation.
A new order on the builder’s key might say:
Take this here key (registration key in current case), ask component k to vouch for it.
I think that predicates must be declared as such as they are introduced to factory via the builder’s key.
The factory obeys the above vouch request only on declared predicates.
I think too that the discretion test on the requestor’s key must require that the set of predicates of the testee be a subset of the predicates of the invoked factory.
<p>I think this all works but it needs a better explanation.
<h3>Who Knows What &amp; When?</h3>
B is a broadcast service, trusted by some.
B is provided in the form of a pair of keys, B<sub>f</sub> and B<sub>p</sub>, found in a public place.
Invoking B<sub>f</sub> returns a key B<sub>c</sub> which controls a new broadcast instance.
Some orders on B<sub>c</sub> are:<ul>
<li>return a key B<sub>s</sub> which accepts new subscriber start keys which are added to the broadcaster’s list.
<li>return a key B<sub>d</sub> which accepts new subscriber start keys to which only sensory messages are transmitted.
<li>return a message acceptor key any message to which is promptly broadcast to the broadcaster’s list.
</ul>
P is the author of the program that is to be confined while receiving signals from an unconfined source.
P chooses to use broadcast service B.
P takes B<sub>p</sub> and installs it, as a predicate, in a new nascent factory to which he holds a builder’s key.
(P chooses an index with which to identify this predicate within the factory just as factory components are identified by index.)
P then creates a broadcast instance B<sub>c</sub> by invoking B<sub>f</sub>.
P acquires the B<sub>d</sub> from B<sub>c</sub> and inserts it as a component in the factory referring to the previously installed predicate by index as justification.
The factory invokes the identified predicate, B<sub>p</sub> passing the prospective component B<sub>d</sub>.
B’s trusted code verifies the brand and that this key is indeed a B<sub>d</sub> for some instance of a broadcast instance.
It signals its approval to the factory logic which thereupon agrees to install B<sub>d</sub> as a factory component.
P continues the normal factory building.
<p>Asynchronously of all of the above a prospective client C of P’s service decides to trust B and thereby installs B<sub>p</sub> as a predicate in his touchstone factory.
When P has sealed the factory and disseminated the requestor’s key R thereto, C invokes his touchstone factory passing R.
Since the touchstone factory holds B<sub>p</sub> as predicate, it is OK that R does as well.
Other predicate and hole inclusions being appropriate, the touchstone factory approves of R and causes C to believe that R produces confined objects.
<p>C invokes R to get an instance of P’s service.
P’s code, running as confined, builds the domain that will receive external signals.
S is the start key to that domain and S is delivered to B<sub>d</sub> in order to subscribe to those signals.
P’s construction code continues and returns an appropriate key to C to be used for the service.
<p>Note that P and C each rely on the logic of both the factory code and the code that implements B.
P has not hereby revealed that there is an incoming stream except inso far as C was required to trust B.
C does not have access to the stream or other internals of the new service object.
P does not have access to whatever C entrusts to the new service object.