My first design does not require kernel design mods but I am unhappy with it. It could be improved with the current kernel design. We examine another design here that relies on proposed kernel design changes and is rather more efficient and natural. We presume in this design that the recipient of a stream may not impede the sender. This means that signals may be lost but the recipient may choose to sense such loss.
In this design the publisher of the signal stream holds a set of start keys to subscribers. When there is a new signal it forks each subscriber start key with the signal, which may include data and keys, but refuses to block on busy subscribers.
This design does not provide an information diode since keys may be passed in the stream that allow signals in the opposite direction.
A new generic broadcaster object type could specialize in broadcasting these streams. This would also allow silently subscribing to a stream, invisibly to the publisher if the broadcaster retains its independence.
A variation on a broadcaster would certify that each key in each message of the stream was sensory. Such streams could safely lead into discreet compartments built by factory logic.
The new sort of arrangement is for a start key for some component of a confined object to be registered with an unconfined but mutually trusted brand of object, a broadcaster in this case. Only the author of the factory, who holds the factory builder’s key, is in a position to create a version of the broadcaster suitable for the job. The builder could make the registration key for the broadcaster available along with the factory requestor’s key. The requestor could test the brand of the broadcaster key to assure that the brand is the one he trusts and then the requestor could call the nascent factory yield to acquire the confined notifiee start key and register that with the broadcaster. When the requestor invokes the broadcaster he specifies that signals be sensory.
This scenario assures the requestor that the factory yield is effectively confined, but gives the requestor too much authority—namely the key to the broadcaster which might provide a signal stream that is proprietary to the builder. It also increases the complexity of the task of the requestor.
If the registration key to the broadcaster could be added as a factory component then initialization code could register the confined listener. The registration code is part of the trusted object so it need not and will not leak signals from the confined world. The registration key does not come under any suitable excuse for a new factory component however. Since the logic of the builder’s code invokes the registration key it is necessary to ensure that that particular key is good only for registering sensory listeners. In short the registration key is safe because it invokes trusted code, not confined code. It is an instance of an object parameterized by the builder and is therefor not merely a well known trusted hole. This particular broadcaster broadcasts a stream private to the builder. It is trusted even though it has been parameterized. A plausible ‘component’ would be a predicate object built by the trusted broadcast author that could be a well known hole. The predicate takes a key that claims to be a registration key for sensory streams and verifies as much. Somehow the factory logic would have to know to test the registration key against the predicate before allowing the registration key to be accessible in the confined world. There is plenty of room for the builder to instruct the factory of this relation. A new order on the builder’s key might say: Take this here key (registration key in current case), ask component k to vouch for it. I think that predicates must be declared as such as they are introduced to factory via the builder’s key. The factory obeys the above vouch request only on declared predicates. I think too that the discretion test on the requestor’s key must require that the set of predicates of the testee be a subset of the predicates of the invoked factory.
I think this all works but it needs a better explanation.
Asynchronously of all of the above a prospective client C of P’s service decides to trust B and thereby installs Bp as a predicate in his touchstone factory. When P has sealed the factory and disseminated the requestor’s key R thereto, C invokes his touchstone factory passing R. Since the touchstone factory holds Bp as predicate, it is OK that R does as well. Other predicate and hole inclusions being appropriate, the touchstone factory approves of R and causes C to believe that R produces confined objects.
C invokes R to get an instance of P’s service. P’s code, running as confined, builds the domain that will receive external signals. S is the start key to that domain and S is delivered to Bd in order to subscribe to those signals. P’s construction code continues and returns an appropriate key to C to be used for the service.
Note that P and C each rely on the logic of both the factory code and the code that implements B. P has not hereby revealed that there is an incoming stream except inso far as C was required to trust B. C does not have access to the stream or other internals of the new service object. P does not have access to whatever C entrusts to the new service object.