[cap-talk] Comments on a paper

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Fri Jul 1 21:52:04 EDT 2005

Kevin Reid wrote:
> On Jul 1, 2005, at 19:22, Karp, Alan H wrote:
>> David Hopwood wrote:
>> A whole bunch of stuff that I agree with and
>>>   - a complete record of delegations is not needed. Capability systems
>>>     can support the kind of auditing that is actually useful.
>> That's what I'm trying to figure out how to do.  First of all, what 
>> kind of auditing are you talking about?  Second, how do you do it?  
>> Let me give an example of what I don't understand.
>> ...
>> In order to illustrate what I don't know how to do, we need to add 
>> another level of delegation.  Say that Alice has 100 GB of disk space. 
>> She grants Bob the right to claim 50 GB for one week and Carol the 
>> same.  Bob grants David the right to claim 25 GB for that week and 
>> Edward the same.  So far, so good.  Now, Edward grants Fred and George 
>> each the right to claim 25 GB.  Carol submits her claim and gets a 
>> lease on the space; David and Fred do the same.  When George submits 
>> his claim, Alice must reject it, but she wants to know if Bob or Carol 
>> is responsible for the oversubscription, and Bob wants to know if it's 
>> Fred or George. SwissNumber tracking can answer Alice's question, but 
>> how does Bob know whether to blame David or Edward?
>> The system described in the paper uses digital certificates.... I can 
>> figure out how to do the same by forwarding Fred's and George's 
>> requests through Bob, but how does it work if Bob can be off line when 
>> those requests are made?
> I haven't been paying much attention to this thread, but this seems to 
> be a straightforward capability problem, so I'll attempt to answer it:
> By Alice building the forwarders, which Bob would otherwise host and 
> give to David and Edward, into her service.
>   interface SpaceProvider {
>     to claim() :Space
>     to subdivide(portion :Number, label :String) \
>       :Tuple[SpaceProvider, Log, Revoker]
>   }
> The 'subdivision' SpaceProvider, hosted by Alice, remembers its 
> 'parent', and so Alice can note the complete 'delegation' path for each 
> request.

That's exactly the approach I was thinking of.

> (Without further protocol, Alice has only Bob's word for who the 
> subdivision is being given to. This can be changed.)

Indeed, for example:
  - Alice provides a random challenge, which Bob forwards to Dave
  - David seals/brands it together with his resource request, and sends it
    back to Bob who forwards it to Alice.

So we need something like cryptographic sealers or branding for this, but
it's still a capability-based design with all the usual cap-security

David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list