[cap-talk] mailkey: Is this broken ?? Identity key access?
Jed Donnelley
jed at nersc.gov
Tue Jun 5 20:25:02 EDT 2007
David Hopwood wrote:
>
> Jed's concern about identity keys potentially having to be accessible
> to all of a user's applications did not seem to be specific to that approach.
>
>
My concern only goes as far as wanting to eliminate the requirement for
access
to the identity key for the identity responsible for the object that
services the
capability that is being delegated (i.e. Carol). Of course if a message is
communicating many capabilities, then many (potentially remote) identity
keys may need to be accessed. Perhaps I don't understand what you mean
above by "all of a user's applications":
In a delegation chain like you suggested:
"Alice -> app1 -> Bob -> app2"
I'm thinking that the above is referring to the delegation chain for
one capability (call it "c" whose service is Carol's responsibility).
The way the Horton and MarkM's programmed Mailkey
protocols work, each time there is a delegation the beIdentity
(~private key) for the object responsible for serving the object
whose capability is being delegated must be used.
I want to find a responsibility delegation protocol that doesn't
require the use of the identity responsible for the service.
I think we are all on the same page here. I hope I'm
using the appropriate terminology above. I just want to
state this position again a bit more fully with my updated
review of Horton and Mailkey in mind to check with others
on this high level goal.
--Jed
http://www.webstart.com/jed/
More information about the cap-talk
mailing list