[cap-talk] mailkey: Is this broken ?? Identity key access?

Jed Donnelley capability at webstart.com
Tue Jun 5 02:08:35 EDT 2007 

At 04:51 PM 6/4/2007, Karp, Alan H wrote:
>David Hopwood wrote:
> >
> > This problem is easily solved: just consider instances of
> > applications to be principals, as well as users. Then a typical
> > delegation chain (e.g. appearing in a log) will look like
> > "Alice -> app1 -> Bob -> app2", where Alice used her "app1"
> > to delegate to Bob, and Bob used his "app2" to access the
> > delegated object.
> >
>But Carol has to know about each such account before the application can
>use her objects.

I think the above is exactly my no third party involvement
issue ( -> C as I briefly put it).  I hope we're able to come
up with a way to get around that.  My main concern is
that it will involve some sort of "split capability" (e.g.
the swiss number designator from the communication part).
That seems a bit unclean to me, which would suggest
a trade-off (either no third party involvement or
simple one piece capabilities, but not both).  I hope
it doesn't come to that.

Regarding:

>At 06:18 PM 6/4/2007, David Hopwood wrote:
>Karp, Alan H wrote:
> > David Hopwood wrote:
> >
> >>This problem is easily solved: just consider instances of
> >>applications to be principals, as well as users. Then a typical
> >>delegation chain (e.g. appearing in a log) will look like
> >>"Alice -> app1 -> Bob -> app2", where Alice used her "app1"
> >>to delegate to Bob, and Bob used his "app2" to access the
> >>delegated object.
> >
> > But Carol has to know about each such account before the application can
> > use her objects.
>
>Why? We must have a disconnect of assumptions here. I am assuming that
>it is usually system-provided powerboxes that perform delegations between
>principals. There is no logical requirement for the objects being delegated
>to be aware of the protocol, let alone particular principals.

I agree that there is no logical requirement for the objects being
delegated to be involved in the protocol, but that's the way
the current implementations (Horton and Mailkeys) are set up
as I read them.  The Mailkeys implementation:

http://erights.org/elib/capability/horton/mailkeys.html

seems to be MarkM's interpretation of Rob Meijer's description
based on some rather minimal information (the PDF charts).
I would not be surprised to see some change there, and in
general in this sort of "who" business.  A lot of early
flux.  Fun to have so much flux.  I hope it pays off in,
as James Donald says, "real world" applications.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list