[cap-talk] Jed's problem with the current Horton -> C

[Karp, Alan H]

Jed wrote:
> 
> Now if A wishes to communicate this permission to
> B, A can simply "sign" a message with Alice's
> identity to the effect of, "I delegate this
> capability c to Bob" and then send it to Bob.
> Of course A must insure that Bob can't extract
> the clear capability to prevent Bob from being
> able to use the capability that is Alice's
> responsibility.  To add this needed property
> A could encrypt (seal) the capability so that
> only Carol (e.g. through her deputy C) can
> recover this message.
> 
This approach is similar to what we're doing using SAML certificates as
capabilities.  (A draft of our paper will be available in a week or so.)
Alice delegates her right to Bob by creating a new authorization
certificate containing her authorization certificate as evidence that
the delegation is valid.  Carol has access to the full delegation chain
when Bob submits his authorization along with his request.

Horton provides similar information without crypto, since sealers and
unsealers are simply objects.  Horton also provides "deniable
authentication" in which Carol knows that Bob took some action but can't
prove it to anyone else.  That's not the case when requests are signed.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp