shapj wrote:
> For my edification, is there a reason to believe
> that Swiss numbers are
> preferable to cryptographically signed
> capabilities from the standpoint of
> security?
None that I know of. I actually spent some time trying to implement with signed identifiers rather than Swiss numbers in the belief that this would create a simpler design with faster authentication. I switched for two reasons. First, I realized that I still needed the lookup table in order to anchor objects that had been exported so that they did not get garbage collected. Second, a signed identifier created a much longer URL, which made them tougher to pass around.
> > If an object identifier is unguessable and only
> > communicated over secured channels, then it is a
> > capability.
>
> I'm not clear that the "only communicated over
> secure channels" constraint
> is required. It doesn't appear to me to be
> satisfied by E/Pluribus or
> Droplets, because the endpoints are not secure.
The 'only communicated over secure channels' constraint is to ensure that a party can only acquire a capability if another party possessing the capability has explicitly passed it to them.
Both SSL and Pluribus provide secure transmission of a capability to the client's TCB. Securing the client's TCB from attackers is outside the scope of the provided solution.
I believe a linux server running only apache, SSL, and SSH is a secure endpoint. It is up to the client to use a similarly secure endpoint. This is a market that I hope EROS will one day service.
Tyler