[cap-talk] mailkey: transfer of accountability. Is this broken ?? should I start from scratch/horton ?

Sun Jun 3 17:06:56 EDT 2007

James A. Donald wrote:
> 
> I suspect that Horton is in danger of disappearing up its own 
> fundament 
> - that it is losing contact with real world issues.  This, of course, 
> may well be an indication of how ignorant I am about how to structure 
> capabilities.  Seems to me that some of the things that Horton is 
> attempting to do probably cannot be done, or even very 
> clearly defined, 
> with the result that it grows without limit in complexity, 
> and declines 
> without limit in comprehensibility.
> 
I've read your comments and exchange with Jed, and I feel there is a
disconnect that I'll try to resolve.

Mailkey is a protocol for deciding what mail is to be considered spam.
It's a useful idea, but it is not a universal solution.  For example, it
works for my gmail address but not my HP mail address.  Others have
proposed similar ideas, such as putting similar information into the
subject field.  Mailkey also suffers from the "useful mail from someone
I don't know" problem, a common example of which is the call for papers.

Horton is solving a different problem, assigning responsibility for
actions between responsible parties.  As Rob showed, the basic idea can
be specialized to address the spam problem, but Horton is more general.
Some of the perceived complexity of Horton comes from supporting that
generality, some comes from starting from a different set of
assumptions, some comes from having a 5 page limit in which to describe
it.

Let me start by reiterating the real world problem described in the
paper to motivate Horton.  Carol runs a wiki with access controlled by
capabilities.  Alice is a registerd user of that wiki.  Alice would like
Bob to be able to post to that wiki, but doesn't want to be held
responsible should he post spam or turn out to be a flamer.  Bob would
like to post to the wiki but not be held responsible for Alice's
actions.  Note that postings do not use email, so mailkey does not
address this problem.  This problem passes the real world test because
it is commonly faced by wiki administrators.

The Horton protocol seems to be more complex than the mailkey protocol
for a couple of reasons.  In an email system, we assume that even before
the introduction there is a path by which Bob can communicate with Carol
without involving Alice.  That is not the case for a system built on
object references.  Addressing that part of the problem has nothing to
do with responsibility tracking or even object capabilities.  That part
of the Horton protocol is very similar to a three-party introduction in
any remote object system.  The second reason for the extra complexity
comes from wanting to do responsibility tracking without using crypto.
That requires some extra messages be passed between Bob and Carol via
Alice so that Alice can't do something that Carol will blame on Bob.

MarkM and I spent a couple of hours on Friday afternoon translating the
mailkey protocol to an object capability framework.  While we originally
thought we could use to use insights from mailkey to simplify the Horton
protocol, and the end the improvements appeared to be minor if there
were any at all.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp