[cap-talk] ACLs, how does one bootstrap a capability communication system

Tue Aug 1 12:34:11 EDT 2006

> I have been writing a capability based mailing/chat system on 
> top of web keys, and having some kind of user identification 

Very Cool! I would tell you to look at the Echat system in Walnut to see
a simple example of such a beast, but the specific feature I am going to
recommend in the next sentence is not implemented in Echat (its goal was
to be the shortest possible interesting example, which is different from
being an actually good chat system).

> would be useful.  I call this user identification an alias, 
> but it works a lot like an email address.  People can publish 

I think you should consider calling the user identification a "petname",
and then implement petname logic for it. So, I create a webkey for you
to use to send mail to me. I give you the webkey. When you install that
webkey in your mail tool, you bind the webkey to a petname, possibly
"marcs". A valuable user-interface twist on this is, when I send you the
webkey, I include a nickname, and during the installation of the webkey
the mail tool suggests using my nickname as your petname for me. Usually
my nickname will not conflict with any petname you already have (people
choose nicknames to be fairly unique). Therefore, this allows the user
to simply click a button rather than type a name in most cases.

> revokable capabilities (inboxes) to aliases to introduce 
> themselves.  However, I have no way of stopping people from 
> spamming an alias if they know it.  The user must choose a 
> new alias if one is being spammed (which is not a problem, 
> because once someone has your revokable inbox, they
> no longer need the alias).   What I think I am going to do is have the
> user request an alias which is a web key, and then let them 
> communicate the alias through some other means besides my 
> mailing/chat system.

If a webkey is compromised, you have to go back through the bootstrap.
If you put in a mechanism for the breached user to change his webkey by
sending mail to the current webkey, the attacker will of course, as his
first action, use the mechanism to lock out the actual user. 

Bootstrapping is a pain whether you are using caps or acls or just about
anything. Once one has a mail or a chat or a privately shared webkeyed
web page, one can send all future caps through that connection, but one
must get the first secure connection by external means. 