[cap-talk] Meijer on Mailkey (was: mailkey: transfer of accountability. Is this broken ??)

Rob Meijer rmeijer at xs4all.nl
Tue Jun 5 00:54:43 EDT 2007 

On Mon, June 4, 2007 21:59, Jed Donnelley wrote:
> Rob Meijer wrote:
>> After reading the horton paper, I have been trying to find out
>> if and how the alternative protocol I designed for the mailkey
>> anti spam project to take care of transfer of accountability are
>> broken or not. I posted on this before, but as noone replied
>> either possitively or negatively I am stuck with the uncertainty
>> and do not realy dare to proceed on implementing it now.
>>
>> I will try to rephrase my mailkey project so it would more fit
>> OC and the horton alternative.
>>
>> We start off with Alice having 5 references:
>>
>> Alice -> AB1 -> Bob
>> Alice -> AB2 -> Bob
>> Alice -> AC1 -> Carol
>> Alice -> AC2 -> Carol
>> Alice -> Mediator
>>
> As I have noted in my discussion, I believe the distinction between
> A acting with some capabilities labeled as the responsibility of Alice
> and "Alice" having references is important.  What does it mean for
> "Alice" to have the above references?  Does this simply mean that
> some active object such as A has some references that are considered
> Alice's responsibility (e.g. as with Horton), or does it mean that a
> process (active object) that has an identity capability for Alice (Alice's
> beAlice in the Horton terminology, or a public key that identifies
> Alice in a PKI context) has the above references?



> Also, I'd like to understand why two references to each B (Bob?)
> and C (Carol?) are needed.

The reason is that at the end of the protocol, AB2 and AC2 will be in
a state that effectively  revokes all authority they carry.
The idea is that the authority carried by the capability Alice holds to
AB2 and AB2 for whats use Alice is accountable gets transfered to
new capabilities AB3 and AC3 to what Carol and Bob respectively are made
accountable for its usage.

>> When Alice wants to introduce Bob and Carol she sends a message
>> to Mediator:
>>
>> Alice -> Mediator("introduce",AB2,"bob",AC2,"carol");
>>
>> Mediator on receiving this message forwards the message to both
>> its arguments, and both get forwarded to :
>>
>> Mediator -> AB2("intro1",AC2,"carol")
>> Mediator -> AC2("intro1",AB2,"bob")
>>
> What is the "carol" parameter above?  Is it literally the name
> associated with
> the Carol identity (the beCarol or the private key) as is suggested by
> the ""s
> or is it something like the whoCarol or Carol's public key?
>> As a result of these actions both AB2 and AC2 clone themselves
>> into respectively AB3 and AC3.

"carol" is just the petname that exists in the namespace identified
by the EQ-able AC2 that refers to Alice. The idea would be that
"Alice::carol" gets known to Bob as "Bob:alice:carol" here, is this making
any sense to you?

>> After this, both AB2 and AC2 generate new messages:
>>
>> AB2->AC2("intro2",AB3)
>> AC2->AB2("intro2",AC3)
>>
>> Now the intoduction gets finaly forwarded to Bob and Carol:
>>
>> AB2->Bob("introduction",AB2,AC3,"carol")
>> AC2->Bob("introduction",AC2,AB3,"bob")
>>
> I'm afraid I'm still at the point were I don't understand enough about
> the above
> and what I've read from:
>
> http://www.xs4all.nl/~rmeijer/mailkeys.pdf
> and from:
> http://erights.org/elib/capability/horton/mailkeys.html
>
> to make an effective comparison between Mailkey and Horton.  I hope MarkM
> will be able to shed some light on the comparison.
>> >From the point where either "intro1" or "intro2" is received,
>> AB2/AC2 stop forwarding to Bob and Carol respectively.
>>
>> It may be important to note that in my concrete case, the mediator
>> being used is internet e-mail combined with To and Cc mail headers, and
>> all references in my case contain the full forgable e-mail addresses of
>> the parties involved.
>>
> I don't understand what role the "mediator" plays in the
> object/capability comparison.

Forget about the mediator, it was a mistake of my in my attempt yo translate
the fact that sending an e-mail with both a To and CC field filled out to
Alice should be considered equal to sending a single message in objcap.
Just considder that Alice sends out both messages directly herself.

Rob

More information about the cap-talk mailing list