[cap-talk] Communicating conspirators (Re: Second ABAC Google talk is now up)

Toby Murray toby.murray at dsto.defence.gov.au
Sun Jul 16 19:57:39 EDT 2006 

Eric Jacobs wrote:

>This was the only part of the presentation that I felt pretty
>dissatisfied with, and perhaps it has more to do with the treatment of
>the topic in the capability community in general than anything else, but
>I feel the arguments that were given were not convincing and did not
>resolve the question that was originally asked.
>
>The original comment at 29:15 - (something like this, the audio is
>fuzzy)
>
>"So, I just want to say here as well: I don't want Bob to have a
>reference to Carol except in the scope of the Foo operation. I
>don't want Bob to be able to save that (access?)..."
>  
>
I thought about this question as well, while I was watching the 
presentation. At first, I throught that the Communication Conspirators 
(CC) answer didn't quite address this as well. Having thought more since 
then, I now believe that the question is a bit of a contradiction, in 
that the assumptions that have to be made in order for the question to 
make sense are contradictory.

The assumption seems to be that we don't trust Bob to use Carol in 
general but we do trust Bob to use Carol during the execution of Bob's 
"foo" operation. This seems to imply that we trust only part of Bob's 
implementation, which to me seems a bit far fetched and somewhat 
contradictory.

Of course, this problem has a number of different solutions that can be 
applied in different circumstances. (There are probably others I haven't 
thought of; these are just the ones I've come up with while writing this 
email).

All involve the creation of a proxy that reduces the authority that's 
given to Bob.
1. The proxy is "use once", in that it breaks its own link after being 
invoked. This might work, depending on how Bob's "foo" operation is 
implemented.
2. The proxy only proxies those methods of Carol that Bob needs to call 
during his "foo" operation.
3. The proxy is an instance of Redell's Caretaker. We call its "revoke" 
method after calling bob.foo(carol).

Each solution is probably valid in different cases, depending on the 
original motivation for only wanting Bob to have access to Carol during 
the "foo" operation.

-- 
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.

More information about the cap-talk mailing list