The Protocol of the Month or the Unbounded TCB

It sometimes seems that every month a new network protocol or variation comes along and a new deamon for Unix is thus required. Naturally this new deamon requires root privilege and comes with little or no documentation about how it will use root authority, let alone any reason to believe that that the new code wields this authority correctly. Yet the modern Unix administrator is expected to install it, with root privilege.

Let’s imagine that some new chat protocol comes along and that we share a machine with a capability style operating system. We must modify or encapsulate the new deamon but how do the system users subscribe safely to the new service?

I am one of the user’s of the system and I value my attention. I also want to try out the new service so I Invoke the newly provided factory and pass the following capabilities:

I created the window capability and endowed it with