[cap-talk] A question on capabilities

[Rob]

> On 6/12/06, David Wagner <daw at cs.berkeley.edu> wrote:
>> I gave a talk at PLAS06 yesterday on object capabilities and
>> language-based capability systems.  My slides, if anyone is interested,
>> are here:
>>   http://www.cs.berkeley.edu/~daw/talks/PLAS06.ps
>>
>> I got one question afterwards that I didn't have a great answer to,
>> and I'm curious what others response might be.  The question: Suppose
>> Alice has a powerful capability, and Alice and Bob have a communication
>> channel over which they can talk to each other.  Ok, granted, we can't
>> prevent Alice from sharing her authority with Bob, if she really wants
>> to, since she can always proxy for Bob.  But what about the risk of
>> Alice
>> unintentionally leaking her capability to Bob?  Do capability systems
>> have
>> a good story about how to deal with that?  (And yes, we recognize that
>> if Alice and Bob are completely isolated from each other, then that's
>> one case where capability systems have a good story, but that case is
>> too restrictive, and the questioner was really asking whether there are
>> any other cases where capability systems can help out with this risk).
>
> Isn't this exactly what e-speak was all about? In this case, the
> capability would be linked to Alice, so she'd have to prove ownership
> of her private key in order to exercise it. Of course, Alice could
> leak her private key, too, though that seems less likely since you
> never have to send it over the wire.

Would e-speak still allow Alice to 'explicitly' re-delegate the capability
to Bob?  And if so could the chain of delegations be recorded within the
capability for auditing purposes?

As stated in my previous post on bound yurls a few days ago, I'm trying
to find out if work has been done on auditable delegation.

T.I.A.

Rob