[cap-talk] What Horton cannot do? (Was: mailkey: transfer of accountability...)
Karp, Alan H
alan.karp at hp.com
Wed Jun 6 11:37:43 EDT 2007
James A. Donald wrote:
>
> Now if Alice and Bob both have private keys, whose
> corresponding public keys are recognized by the entity
> that issues capabilities to activate the fire alarm,
> which is necessary if Alice is to pass the capability
> through the Horton mechanism, then we could just as
> easily pass the capability directly, not through the
> horton mechanism, and require the use of the capability
> to be signed by a private key.
>
I latched onto the phrase "whose corresponding public keys are
recognized by the entity ..." What if that entity never heard of Bob's
public key? In that case, Alice would have to say something like
"Entity, here is Bob's public key. Please add it to your list of
recognized keys." That's closer to what Horton is doing for the bearer
rights type of capability.
Lacking any further information about Bob, the entity will hold Alice
responsible for actions taken by Bob. More precisely, the entity will
hold Alice responsible for actions taken by the holder of Bob's private
key. That leads to a situation in which your approach reduces to bearer
rights. Alice creates a new key pair and tells the entity to add the
public key to its list. Alice then gives the corresponding private key
and capability to anyone she wants to be able to activate the fire
alarm. That pair is equivalent to a bearer right capability.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list