[cap-talk] Declaring a victory

Norman Hardy norm at cap-lore.com
Sun Aug 12 19:46:07 EDT 2007 

On 2007 Aug 11, at 7:03 PM, Jed Donnelley wrote:
.......
> 3.  Most surprising to me was the reemergence
> in a new (and to me more reasonable) form of the
> 'pass once' mechanism for capabilities (e.g. as seen
> as an effort to combat communicating conspirators
> in a number of historical capability systems like
> Demos, Mach, and others).  In this context it becomes
> 'delegate once' or as might be more meaningful
> at this "ID" level, 'don't re delegate'.
>
> As we well know, the "pass once" mechanism for
> 'raw' capabilities makes no sense.  It blocks the
> development of finer grained implementations
> of services (introducing more objects) because
> the holder of the capability can't even communicate
> it to new "sub" objects.
>
> However, in the context of higher level identities
> (e.g. people) I believe a "do not re delegate" policy
> makes good sense and fits in as an effective
> additional potential policy in a suite of voluntary
> oblivious compliance policies (to use AlanK's
> term).  With such a "do not re delegate" policy
> (e.g. parameter to a Horton hook) in place,
> communication of capabilities can still be
> done within the responsibility of a single
> identity.  It's only when delegating to another
> identity (e.g. person) that the block takes effect.

My stuff below is vague; I am not sure I am asking precise questions.

At which level is the distinction made between between principals?
If principal X is using code written by Y to accomplish the charter  
of X, who is the principal?
If X invokes a properly confined object that obeys code by Y, is that  
delegation?
It seems as we are sliding back to the assumption that all of the  
code that a principle X uses does just what X wants it to do.
Sometimes we say that X relies on all of the code that X invokes.
A capability platform is so that X can correctly rely in code Z while  
knowing less about Z than if the platform were conventional.
This influences the concept of "rely upon"; it is relative to the  
platform we assume.
I think the magic of Horton is being able to say (and mean) to  
another agency:
    Do your magic on this here thing, (but I will have a record of  
what it is that you have done.)

In short I am not sure what we are discussing in this thread.

More information about the cap-talk mailing list