Mark S. Miller, <markm@caplet.com>, writes:
> Let us call implementations like Ping's or MarcS's "pointer-based public
> key" as opposed to "cryptographic public key". Why do we also need a
> cryptographic public key implementation of sealer/unsealer? To provide the
> power of cryptographic public key to the E programmer in the inter-vat
> case. What is this power, over that of using pointer-based public
> key? *Only* the removal of the mutually trusted third party.
I think I understand. With the PassByProxy model, VatS, which holds the BrandMaker, gets access to the capability being sealed, even though that capability may only be intended to be delivered to Bob. VatS must be trusted not to misuse that capability. With a crypto based PassByCopy model, the sealing is done locally and no one other than Bob will be able to unseal it (other than people he gives it to).
In terms of your auditors, would it be that the PassByCopy BrandMaker would be accepted as confined (or some similar security property) while the PassByProxy version would not? You might have two flavors of BrandMaker in the system, the crypto one which is slow and bulky but passes the auditor for cases where that is needed, and the PassByProxy one you have now, which is very fast but does not pass the auditor? Then, you want to make sure that they are semantically equivalent other than this auditor test?
Is it anticipated that user-written objects would ever be PassByCopy? The security properties of such an object would be very different from those under the PassByProxy model, because the object would not be able to keep secrets from whatever Vat it runs on. It would be necessary to be very careful in writing such code, and the security analysis would be completely different than for PassByProxy code. The mint code, for example, would obviously be completely unsafe if the purse were PassByCopy.
Thanks for the helpful discussion -
Hal