[cap-talk] My alarming uncle Bob (was: What Horton cannot do? (Was: mailkey: transfer of accountability...))
Karp, Alan H
alan.karp at hp.com
Wed Jun 6 20:07:01 EDT 2007
Jed wrote:
> >
> > Or he could get a transient cookie that enabled actions
> > to be billed to his account, or attributed to his
> > reputation, which is in practice the way things are
> > usually done.
> Whether this "cookie" is transient or not, it seems to
> provide all the
> authority
> of a private key (at least temporarily), that is it "enabled
> actions to
> be billed
> to his account, or attributed to his reputation" - for example the
> charging of the 5 million dollars that you refer to elsewhere.
>
And this, I think, is Jed's disconnect. As I understand James'
proposal, both the authentication and the capability are needed to set
off the fire alarm. In other words, Alice can start a program and give
it knowledge of her private key but give the program only one of the
capabilities she holds. That program would only be able to do the one
thing that Alice explicitly authorized. Responsibility tracking comes
from the authentication; access rights, from the capabilities. I've
been calling this an "authenticated channel capability system".
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list