[cap-talk] My alarming uncle Bob (was: What Horton cannot do? (Was: mailkey: transfer of accountability...))

Jed Donnelley capability at webstart.com
Thu Jun 7 02:40:43 EDT 2007 

At 05:07 PM 6/6/2007, Karp, Alan H wrote:
>Jed wrote:
> > >
> > > Or he could get a transient cookie that enabled actions
> > > to be billed to his account, or attributed to his
> > > reputation, which is in practice the way things are
> > > usually done.
> > Whether this "cookie" is transient or not, it seems to
> > provide all the authority of a private key (at least
> > temporarily), that it "enabled actions to be billed
> > to his account, or attributed to his reputation" - for example the
> > charging of the 5 million dollars that you refer to elsewhere.
>
>And this, I think, is Jed's disconnect.  As I understand James'
>proposal, both the authentication and the capability are needed to set
>off the fire alarm.  In other words, Alice can start a program and give
>it knowledge of her private key but give the program only one of the
>capabilities she holds.  That program would only be able to do the one
>thing that Alice explicitly authorized.  Responsibility tracking comes
>from the authentication; access rights, from the capabilities.  I've
>been calling this an "authenticated channel capability system".

I guess from the above that what James refers to as
"a transient cookie" is what you, Alan, are referring
to as "the authentication" and what you later refer
to as "knowledge of her private key".  Can you tell me
what this is?  Is it some sort of signed statement
from Alice?

When you refer to this as an "authenticated channel" capability
system, where does the "authenticated channel" come in?
What 'channel' are you referring to?

I just searched everything posted to cap-talk that refers
to "authenticated channel" and did a Web search for
same.  No joy.  Of course I can understand how a
channel can be "authenticated".  E.g. if a program
with Alice's private key is at one end of a channel
it can respond to receipt of a nonce with a signed copy
of the nonce - thus authenticating the channel.  However,
this of course assumes possession of the private
key (not just "knowledge of her private key") and
all it does is to communicate "acts for Alice",
but not in any limited way.

There must be more here that I'm still missing.
I just went back through all 11 messages from James
Donald since this topic came up.  Still no understanding.
I really don't like email for this sort of thing.
Maybe I'll just have to wait on this one until I see
some more details - perhaps a publication or implementation,
or maybe have an interactive discussion with somebody
on the topic.  Sigh.

I could respond more on other topics in the discussion
(e.g. "real world examples"), but if I'm still not getting
this most fundamental level, then I don't see the point.

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list