[cap-talk] SPAM-LOW: Re: mailkey: transfer of accountability. Is this broken ?? should I start from scratch/horton ?

Mon Jun 4 09:03:08 EDT 2007

James A. Donald wrote:
> A capability is typically a shared secret.  So she does
> have a login with Carol.
> 
> And if you do not want to call it a login, then
> everything I said remains the same, mutas mutandis:
> 
> Here is the non Horton solution in the context of the
> wicki example - this is the fifth time I have described
> it, and the third time I have described in the context
> of a particular concrete example:
> 
> Alice has her identity capability, which she does not
> share with anyone.  It enables her to sign wiki entries
> 
> Bob has a similar capability, but it is of little use,
> since he has little or no authority to make wiki entries
> 
> Alice has a bunch of keys, enabling her to exercise
> editorial authority.
> 
> She gives one of these keys to Bob.  These keys could
> be unguessable wiki urls.  Access one of these URLs, and you have
> editorial authority similar to Alice's.  These urls are
> capabilities.
> 
> He uses the key Alice gave him, to do stuff.  His
> identity key is also required.
> 
> If Alice gets upset by stuff done to the wiki using keys
> issued by her, she has the wiki revoke that key.
> 
> If Alice gives keys to lots of people, and quite a few
> of those people cause problems, all Alice's keys get
> revoked.

Horton's advantage over this approach is that all of the people Alice
delegated this capability to do not get revoked, merely the one she
specifies, or if this is not inherently supplied, it makes it easy to
insert a caretaker, and track it by its label.

Your proposal requires Alice to manually track all caretakers she's
created, client-side as a bookmark instead of server-side via a
"delegation label manager" if you will; Horton is a simple front-end to
this common pattern where you can assign a label to each caretaker.
Calling this an "identity" is merely one possible use of it.

> Alice does not get blamed for stuff done by Bob, nor Bob
> for stuff done by Alice, since they have unique identity
> capabilities.  Alice may get blamed for dispersing
> editorial authority unwisely.
> 
> It seems to me that capabilities should be numerous and
> small.  Having a capability that represents a great deal
> of information about identity, as in Horton, is a larger
> than necessary capability, which produces greater
> complexity in the management and use of that capability.

You seem hung up on "identity". Horton simply builds a local name system
(which we have been calling "identities") in order to make it easier to
track delegations of interest.

There is no question that such "identities" are superfluous for
capabilities; however, being able to assign human readable labels to
delegations and have them automatically tracked (instead of having to do
it manually yourself) increases the usability of any system where a
*person* must manage such delegations. To such a person, this can mimic
identity-based systems, though it need not. These "identities" do not
carry authority, and they are not global like identities but local like
petnames/bookmarks.

Sandro