[cap-talk] Meijer on Mailkey (was: mailkey: transfer of accountability. Is this broken ??)
Jed Donnelley
capability at webstart.com
Tue Jun 5 02:24:39 EDT 2007
At 09:54 PM 6/4/2007, Rob Meijer wrote:
>On Mon, June 4, 2007 21:59, Jed Donnelley wrote:
> > Rob Meijer wrote:
> >> After reading the horton paper, I have been trying to find out
> >> if and how the alternative protocol I designed for the mailkey
> >> anti spam project to take care of transfer of accountability are
> >> broken or not. I posted on this before, but as noone replied
> >> either possitively or negatively I am stuck with the uncertainty
> >> and do not realy dare to proceed on implementing it now.
> >>
> >> I will try to rephrase my mailkey project so it would more fit
> >> OC and the horton alternative.
> >>
> >> We start off with Alice having 5 references:
> >>
> >> Alice -> AB1 -> Bob
> >> Alice -> AB2 -> Bob
> >> Alice -> AC1 -> Carol
> >> Alice -> AC2 -> Carol
> >> Alice -> Mediator
> >>
> > As I have noted in my discussion, I believe the distinction between
> > A acting with some capabilities labeled as the responsibility of Alice
> > and "Alice" having references is important. What does it mean for
> > "Alice" to have the above references? Does this simply mean that
> > some active object such as A has some references that are considered
> > Alice's responsibility (e.g. as with Horton), or does it mean that a
> > process (active object) that has an identity capability for Alice (Alice's
> > beAlice in the Horton terminology, or a public key that identifies
> > Alice in a PKI context) has the above references?
>
> > Also, I'd like to understand why two references to each B (Bob?)
> > and C (Carol?) are needed.
>
>The reason is that at the end of the protocol, AB2 and AC2 will be in
>a state that effectively revokes all authority they carry.
>The idea is that the authority carried by the capability Alice holds to
>AB2 and AB2 for whats use Alice is accountable gets transfered to
>new capabilities AB3 and AC3 to what Carol and Bob respectively are made
>accountable for its usage.
Thanks. I think I see that in MarkM's reference E implementation
where at least I can see some more details and experiment with it.
I'm hopeful that by following that implementation (after MarkM's
time explaining it) I can understand it better. Thanks for taking
time with the above and your other comments. I'll return to them
(particularly your comment about EQ) if I'm still stuck.
Do you understand the concern about "object" (as David Hopwood
puts it) or "third party" involvement (as I've referred to it)
Rob? Does that seem to be a relevant issue to you? Do you
imagine your Mailkey design to have such object/third party
involvement? If so, do you think it can be eliminated? If
not then I (and perhaps MarkM) need to dig deeper into the
Mailkey design - perhaps with input from you?
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list