I am skeptical about early introduction of “support for identity-based access control” as it seems unlikely that one can recover later (at higher levels) from the insecurities it introduces.
In the critique at the end (section 3) he reveals that each application holds the capability to the ‘user’s’ entire file hierarchy. He concludes that this is unacceptable and compares with Polaris and Plash.
His references at the end are well chosen.
Section 2.2 explains how Hurd plans to restart as the system lacks persistence. I do not understand this yet.
|Messages are addressed to ports||Messages are addressed to domains.|
|Kernel queues messages||Messages do not persist in kernel. They are delivered in the same instant they are created.|
|data passed by reference to immutable memory.||data passed by copy; limited in size.|