[cap-talk] mailkey: transfer of accountability

[David Hopwood]

Karp, Alan H wrote:
> David Hopwood wrote:
>> Karp, Alan H wrote:
>>>
>>> The Horton protocol seems to be more complex than the mailkey protocol
>>> for a couple of reasons.  In an email system, we assume that even before
>>> the introduction there is a path by which Bob can communicate with Carol
>>> without involving Alice.
>>
>>I don't think that the mailkey protocol does assume this. It doesn't
>>involve sending mail to any principal, without first having received a
>>keyed address for that principal from some other principal 
>>that already knows it.
> 
> Perhaps I misunderstand.  In mailkey, Alice asks Carol for a key to give
> to Bob.  Bob uses that key send an email directly to Carol asking for a
> key for him to use that Alice doesn't know.

Oh, how irritating: part of the confusion here is just due to the
principals being labelled differently between mailkeys.pdf
("Bob intends Carol to be able to send to Alice and vice-versa") and
our usual convention ("Alice intends Bob to be able to send to Carol").
I answered assuming the latter, but I think you meant the former.

I think the simplest way to resolve this is for you to restate your
argument using the usual convention -- otherwise we're going to get into
horrible difficulties comparing with the Horton paper.

-- 
David Hopwood <david.hopwood at industrial-designers.co.uk>