[cap-talk] Meijer on Mailkey (was: mailkey: transfer of accountability. Is this broken ??)

Jed Donnelley jed at nersc.gov
Mon Jun 4 15:59:09 EDT 2007 

cap-talk,

After the recent flurry of discussion about Mailkey, I'm going back to Rob's
original message to see if I can glean enough additional detail to allow me
to make an object/capability (as Alan says, bearer rights) comparison
with the Horton approach.  MarkM indicated that he would call me
in about 30 minutes (13:00 PST) and we can talk then, so this is in the
nature of a review before that discussion, trying to incorporate the new
information from the cap-talk exchanges.

Rob Meijer wrote:
> After reading the horton paper, I have been trying to find out
> if and how the alternative protocol I designed for the mailkey
> anti spam project to take care of transfer of accountability are
> broken or not. I posted on this before, but as noone replied
> either possitively or negatively I am stuck with the uncertainty
> and do not realy dare to proceed on implementing it now.
>
> I will try to rephrase my mailkey project so it would more fit
> OC and the horton alternative.
>
> We start off with Alice having 5 references:
>
> Alice -> AB1 -> Bob
> Alice -> AB2 -> Bob
> Alice -> AC1 -> Carol
> Alice -> AC2 -> Carol
> Alice -> Mediator
>   
As I have noted in my discussion, I believe the distinction between
A acting with some capabilities labeled as the responsibility of Alice
and "Alice" having references is important.  What does it mean for
"Alice" to have the above references?  Does this simply mean that
some active object such as A has some references that are considered
Alice's responsibility (e.g. as with Horton), or does it mean that a
process (active object) that has an identity capability for Alice (Alice's
beAlice in the Horton terminology, or a public key that identifies
Alice in a PKI context) has the above references?

Also, I'd like to understand why two references to each B (Bob?)
and C (Carol?) are needed.
> When Alice wants to introduce Bob and Carol she sends a message
> to Mediator:
>
> Alice -> Mediator("introduce",AB2,"bob",AC2,"carol");
>
> Mediator on receiving this message forwards the message to both
> its arguments, and both get forwarded to :
>
> Mediator -> AB2("intro1",AC2,"carol")
> Mediator -> AC2("intro1",AB2,"bob")
>   
What is the "carol" parameter above?  Is it literally the name 
associated with
the Carol identity (the beCarol or the private key) as is suggested by 
the ""s
or is it something like the whoCarol or Carol's public key?
> As a result of these actions both AB2 and AC2 clone themselves
> into respectively AB3 and AC3.
>
> After this, both AB2 and AC2 generate new messages:
>
> AB2->AC2("intro2",AB3)
> AC2->AB2("intro2",AC3)
>
> Now the intoduction gets finaly forwarded to Bob and Carol:
>
> AB2->Bob("introduction",AB2,AC3,"carol")
> AC2->Bob("introduction",AC2,AB3,"bob")
>   
I'm afraid I'm still at the point were I don't understand enough about 
the above
and what I've read from:

http://www.xs4all.nl/~rmeijer/mailkeys.pdf
and from:
http://erights.org/elib/capability/horton/mailkeys.html

to make an effective comparison between Mailkey and Horton.  I hope MarkM
will be able to shed some light on the comparison.
> >From the point where either "intro1" or "intro2" is received,
> AB2/AC2 stop forwarding to Bob and Carol respectively.
>
> It may be important to note that in my concrete case, the mediator
> being used is internet e-mail combined with To and Cc mail headers, and
> all references in my case contain the full forgable e-mail addresses of
> the parties involved.
>   
I don't understand what role the "mediator" plays in the 
object/capability comparison.
Even doing such a comparison may well be the source of some tension.  It may
be that the proposed Mailkey protocol is an effective design where, for 
example,
confinement isn't an issue (as with email on today's Internet).  As I've 
noted, I feel
uncomfortable with the involvement of C in the Horton delegation with 
responsibility
from A to B.
> >From earlier mail on the list I get the feeling there should be something
> broken in this protocol, but I can't put my finger on what this would be,
> or
> if my special case for e-mail addresses may actualy be one special case
> that isn't broken while the general OC usage of the protocol would be.
>
> I am realy interested to know if I am completely on a wong track here and
> should thus just throw away my design and start from scratch (with horton
> as a guideline), or if I could continue and start implementing the above.
>   
I also hope to better understand - perhaps in just a few minutes (if 
MarkM does...).

--Jed
http://www.webstart.com/jed/

More information about the cap-talk mailing list