[cap-talk] Managing Domains, section 13

John Carlson john.carlson3 at sbcglobal.net
Fri Nov 17 19:41:19 CST 2006

Hash: SHA1

> I can imagine one if both sides
> have public/private key pairs along the lines of the scheme in:
> http://www.webstart.com/jed/papers/Managing-Domains/#s13
> Perhaps I should get a reaction to the above discussion before
> proceeding further.

Jed, one problem I see with public/private key pairs is that you need
to protect them somehow, either in the kernel, with ACLs, passwords,
or with capabilities (or some other unknown technology)  Does your
paper discuss protecting keys, or is it assumed that capabilities are
protecting the keys?  If you have to decrypt your key everytime you
want to use it for a capability, that could get kind of expensive.

You'd have a more convincing story if you were actually using
public/private keys in some fashion, like in email.

Another issue would be, how many public/private keys are necessary
in a system.  If only the kernel and the user need a key pair, that's  
If every single process has a key pair, you'll be spending a lot of
time generating keys.  If you have persistent processes, this helps.
If you want each web request to live in its own space, and have its
own set of capabilities, that's a lot of key generation--it's not  
If you ask the user to provide a capability to a server, then you're
just asking for phishing again.

I assume that the things you are encrypting are very small (like bulk
encryption keys), otherwise, the public/private key thing could get
computationally expensive.  If I have to do the public/private key
thing for every object reference.

What is your definition of a domain?  It looks like a web server
could have several domains.  How do you wall off portions of
a web server from each other?  What kind of language support
do you need for this?

For conventional email PKE, also be aware that you need to
encrypt/sign/encrypt or sign/encrypt/sign.  At least that was
from one source that I read about.  I have forgotten the details,
but it sounds like a good idea.  You don't particularly have
to do the key operation, just put the from and to in your email,
like "Jed" and "John."

Version: GnuPG v1.4.5 (Darwin)


More information about the cap-talk mailing list