[cap-talk] What Horton cannot do? (Was: mailkey: transfer of accountability...)

Rob Meijer rmeijer at xs4all.nl
Wed Jun 6 17:57:47 EDT 2007 

On Wed, June 6, 2007 17:37, Karp, Alan H wrote:
> James A. Donald wrote:
>>
>> Now if Alice and Bob both have private keys, whose
>> corresponding public keys are recognized by the entity
>> that issues capabilities to activate the fire alarm,
>> which is necessary if Alice is to pass the capability
>> through the Horton mechanism, then we could just as
>> easily pass the capability directly, not through the
>> horton mechanism, and require the use of the capability
>> to be signed by a private key.
>>
> I latched onto the phrase "whose corresponding public keys are
> recognized by the entity ..."  What if that entity never heard of Bob's
> public key?  In that case, Alice would have to say something like
> "Entity, here is Bob's public key.  Please add it to your list of
> recognized keys."  That's closer to what Horton is doing for the bearer
> rights type of capability.
>
> Lacking any further information about Bob, the entity will hold Alice
> responsible for actions taken by Bob.  More precisely, the entity will
> hold Alice responsible for actions taken by the holder of Bob's private
> key.  That leads to a situation in which your approach reduces to bearer
> rights.  Alice creates a new key pair and tells the entity to add the
> public key to its list.  Alice then gives the corresponding private key
> and capability to anyone she wants to be able to activate the fire
> alarm.  That pair is equivalent to a bearer right capability.

It may be just semantics, but would it not be relevant to distinguish
between the Alice 'entity' and the Alice 'namespace' (from the invoked
object (Carol?) point of view that is)?
Without any 'further' information on Bob, Bob would have to be considered
Alice::Bob by the invoked object, and as long as it can be shown that
Alice::Bob != Alice, abuse by Alice::Bob would be accountable to
Alice::Bob
as an entity within the Alice name space rather than to the Alice entity
IMO. You could than say that if at a later time it is shown that for
example
Alice:Bob == Dick::Bob, bob could be lifted from the Alice name space to
the local name space, removing accountability for usage (not for
delegation) from the Alice name space.


Rob
Am I making any sense here, or is this

More information about the cap-talk mailing list