[cap-talk] On revocation and the use ofwrappers andIn DefenseofIdentities
Marcus Brinkmann
marcus.brinkmann at ruhr-uni-bochum.de
Sun Dec 10 06:16:27 CST 2006
At Sun, 10 Dec 2006 01:09:58 -0600,
"Karp, Alan H" <alan.karp at hp.com> wrote:
>
> [1 <text/plain; us-ascii (quoted-printable)>]
> In reading a note you wrote after the one I reply to below, I realized
> our disconnect. I am talking about distributed systems. You are
> talking about objects running in the same instance of an operating
> system.
Ah, ok, that explains a lot. I will be careful to make this explicit
in the future. I seem to be surrounded by network people :)
> In my case, Alice, running on one machine, delegates to Bob, running on
> another machine, a capability to Carol running on a third. If Carol
> wishes to track that delegation, Carol will have to expend some
> resources. Carol can charge them against Alice's quota if she chooses.
> If Carol doesn't account for the resource use in some way, Alice can
> consume Carol's resources to the extent that no one else can use Carol.
Note that if Carol indeed wants to track delegation (ie identity
tracking), then Carol will have to expend resources in any case, and
things are a lot harder in general (from my POV). I was not only
talking about single-node systems, but only talking about revocable
delegation without identity tracking in the server (I mentioned that
in one of the early replies, but not since). That may be another
disconnect.
Unless there is some clever cryptographic protocol I am missing, it
seems to me that storage consumption in the server is necessary to
support revocable delegation (with or without identity tracking) in a
loosely connected network. In that case, I think we may agree after
all.
Thanks,
Marcus
More information about the cap-talk
mailing list