[cap-talk] On revocation and the use of wrappers and In Defense of Identities

Toby Murray toby.murray at comlab.ox.ac.uk
Wed Dec 6 14:01:36 CST 2006 

On Tue, 2006-12-05 at 12:17 -0800, Jed at Webstart wrote:
> Suppose you have a mechanism where if Alice has a permission
> (any sort of permission really, I hesitate to use the term
> "capability" because people seem to immediately infer
> some preferred implementations) and Alice wishes to
> delegate some subset of this permission to Bob in such
> a way that any future exercise of the permission that
> Alice delegates to Bob can be distinguished as the
> permission that Alice delegated to Bob?  Suppose
> further that the permission delegated to Bob can be
> revoked by Alice and that Alice is unable to exercise
> the permission so as to make it appear as if it was
> Bob invoking it.
> 

Just a back of the envelope type sketch. Does this match your scenario.
(The following won't parse and I know I've messed up the
syntax/semantics a bit but hopefully it gets the idea across)

All accesses to 'frank' are taggged with the delegation chain. I'm
presuming here that alice /wants/ to adhere to the above conditions but
if she doesn't we can always have her reference to 'bob' be a forwarder
that automatically calls 'giveAccessTo(target)' for each of the method
params.

Essentially, when alice wants to pass on access, she asks frank to give
bob a reference. bob's reference is tagged with the delegation chain on
alice's reference with bob appended in the same way that alice's was
tagged with the delegation chain up to her. alice gets a revoker but
doesn't get the reference itself which is given directly to bob, to
prevent her from being able to exercise it and appearing as bob.


def makeTagged(chain, to){
   // make a new list that is chain with 'to' appended
   def myChain := chain.add(to)

   // tag method parameters with 'myChain'
   def tagged {
      to getChain() :any{
         return myChain
      }
      match [verb, args] :any{
         E.call(to,verb,[myChain].append(args))
      }
   }
}

def frank{
  // end of the chain is invoking us
  to giveAccessTo(chain, to) :any{
     def from := chain.last()
     def tagged := makeTagged(chain, to)
     [revoker, forwarder] := makeForwarder(tagged)
     to.hereYouGo(from, forwarder)
     return revoker
  }
  // do stuff with us -- eg. if we're a file, we might be a 'read' 
  // method
  to doStuff(chain, ...params...) :any{
  }
}

// in a separate scope
def bob{...}

// in a separate scope
var bob := null
def alice {
   to meetFrank(frank);any{
      frank.giveAccessTo(bob)
   }
   to meetBob(b):any{
     bob := b
   }
}

// in some scope that includes all of the above
alice.meetBob(bob)
alice.meetFrank(makeTagged([alice],frank)


> In a similar manner with further delegation to Carol.
> Here's the picture as I see it:
> 
>                    ----low access----   Carol
>                   /                       |
>                  /                        ^
> Object ("Frank") -----medium access --   Bob
>                  \                        ^
>                   \                       |
>                    ----High access----   Alice
> 
> The burden falls on Frank and on the communication mechanism.
What assumptions are made about the communications medium? For example,
can frank tell which identity is invoking him?

More information about the cap-talk mailing list