[cap-talk] What Horton cannot do? (Was: mailkey: transfer of accountability...)

Jed Donnelley capability at webstart.com
Thu Jun 7 03:01:13 EDT 2007

At 02:57 PM 6/6/2007, Rob Meijer wrote:
>On Wed, June 6, 2007 17:37, Karp, Alan H wrote:
> > James A. Donald wrote:
> >>
> >> Now if Alice and Bob both have private keys, whose
> >> corresponding public keys are recognized by the entity
> >> that issues capabilities to activate the fire alarm,
> >> which is necessary if Alice is to pass the capability
> >> through the Horton mechanism, then we could just as
> >> easily pass the capability directly, not through the
> >> horton mechanism, and require the use of the capability
> >> to be signed by a private key.

I'm sorry, but I'm still not getting this.  There must be
something in that phrase "require the use of the capability
to be signed by a private key" that I'm not getting.  I just
don't understand how that can be done by an application
with the capability unless that application has the private
key (which of course then makes the private spread all
over).  Is it somehow just a specific use of the capability
that's signed?  If so, when and how is the signing done?

> > I latched onto the phrase "whose corresponding public keys are
> > recognized by the entity ..."  What if that entity never heard of Bob's
> > public key?  In that case, Alice would have to say something like
> > "Entity, here is Bob's public key.  Please add it to your list of
> > recognized keys."  That's closer to what Horton is doing for the bearer
> > rights type of capability.
> >
> > Lacking any further information about Bob, the entity will hold Alice
> > responsible for actions taken by Bob.  More precisely, the entity will
> > hold Alice responsible for actions taken by the holder of Bob's private
> > key.  That leads to a situation in which your approach reduces to bearer
> > rights.  Alice creates a new key pair and tells the entity to add the
> > public key to its list.  Alice then gives the corresponding private key
> > and capability to anyone she wants to be able to activate the fire
> > alarm.  That pair is equivalent to a bearer right capability.
>It may be just semantics, but would it not be relevant to distinguish
>between the Alice 'entity' and the Alice 'namespace' (from the invoked
>object (Carol?) point of view that is)?
>Without any 'further' information on Bob, Bob would have to be considered
>Alice::Bob by the invoked object, and as long as it can be shown that
>Alice::Bob != Alice, abuse by Alice::Bob would be accountable to
>as an entity within the Alice name space rather than to the Alice entity
>IMO. You could than say that if at a later time it is shown that for
>Alice:Bob == Dick::Bob, bob could be lifted from the Alice name space to
>the local name space, removing accountability for usage (not for
>delegation) from the Alice name space.
>Am I making any sense here, or is this

Sorry Rob, James, Alan, I'm just not getting it.  Maybe if Alan is
getting it I'll be able to speak with him about it some time and
figure out at least basically what is being suggested.  Very
frustrating for all I'm sure.

--Jed  http://www.webstart.com/jed-signature.html 

More information about the cap-talk mailing list