[cap-talk] mailkey: transfer of accountability. Is this broken ?? should I start from scratch/horton ?

[James A. Donald]

James A. Donald wrote:
 >> Alice has her login, which she does not share with
 >> anyone.

Karp, Alan H wrote:
 > And there's the disconnect.  In a capability system,
 > Alice does not have a login with Carol.  Alice has a
 > capability to access Carol.

A capability is typically a shared secret.  So she does
have a login with Carol.

And if you do not want to call it a login, then
everything I said remains the same, mutas mutandis:

Here is the non Horton solution in the context of the
wicki example - this is the fifth time I have described
it, and the third time I have described in the context
of a particular concrete example:

Alice has her identity capability, which she does not
share with anyone.  It enables her to sign wiki entries

Bob has a similar capability, but it is of little use,
since he has little or no authority to make wiki entries

Alice has a bunch of keys, enabling her to exercise
editorial authority.

She gives one of these keys to Bob.  These keys could
be unguessable wiki urls.  Access one of these URLs, and you have
editorial authority similar to Alice's.  These urls are
capabilities.

He uses the key Alice gave him, to do stuff.  His
identity key is also required.

If Alice gets upset by stuff done to the wiki using keys
issued by her, she has the wiki revoke that key.

If Alice gives keys to lots of people, and quite a few
of those people cause problems, all Alice's keys get
revoked.

Alice does not get blamed for stuff done by Bob, nor Bob
for stuff done by Alice, since they have unique identity
capabilities.  Alice may get blamed for dispersing
editorial authority unwisely.

It seems to me that capabilities should be numerous and
small.  Having a capability that represents a great deal
of information about identity, as in Horton, is a larger
than necessary capability, which produces greater
complexity in the management and use of that capability.