[cap-talk] mailkey: transfer of accountability. Is this broken ?? should I start from scratch/horton ?

[James A. Donald]

Karp, Alan H wrote:
> Let me start by reiterating the real world problem described in the
> paper to motivate Horton.  Carol runs a wiki with access controlled by
> capabilities.  Alice is a registerd user of that wiki.  Alice would like
> Bob to be able to post to that wiki, but doesn't want to be held
> responsible should he post spam or turn out to be a flamer.  Bob would
> like to post to the wiki but not be held responsible for Alice's
> actions. 


Here is the non Horton solution in the context of the wicki example - 
this is the fourth time I have described it, and the second time I have 
described in the context of a particular concrete example:

Alice has her login, which she does not share with anyone.

Bob has his logon, but it has little or no authority.

Alice has a bunch of keys, enabling her to exercise editorial authority. 
  She gives one of these keys to Bob.  These keys could be unguessable 
wiki urls.  Logon at one of these URLs, and you have editorial authority 
similar to Alice's.  These urls are capabilities.

Bob logs on as Bob, he cannot log on as Alice. He uses the key Alice 
gave him, to do stuff.

If Alice gets upset by stuff done to the wiki using keys issued by her, 
she has the wiki revoke that key.

If Alice gives keys to lots of people, and quite a few of those people 
cause problems, all Alice's keys get revoked.

Alice does not get blamed for stuff done by Bob, nor Bob for stuff done 
by Alice, since they have unique logins.  Alice may get blamed for 
dispersing editorial authority unwisely.


It seems to me that capabilities should be numerous and small.  Having a 
capability that represents a great deal of information about identity, 
as in Horton, is a larger than necessary capability, which produces 
greater complexity in the management and use of that capability.