[cap-talk] Delegating Responsibility in Digital Systems: Horton's "Who Done It?"

Jed Donnelley capability at webstart.com
Thu Jun 7 11:27:50 EDT 2007 

At 07:22 AM 6/7/2007, Pierre THIERRY wrote:
>Scribit Mark S. Miller dies 28/05/2007 hora 17:44:
> > My worry is that if we reverse the usage of seal vs unseal, that Carol
> > would then be able to provide Alice with a box Alice can unseal, which
> > Alice can know only Bob could have sealed, making Bob's responsibility
> > to Carol undeniable (or at least less deniable) to Alice.
>
>Wasn't providing undeniable authentication a motivation of the
>discussion that led to the design of the Horton protocol?
>
>Curiously,
>Pierre

I'd also like to see an answer to the above, partly in the hope that
it might help to clear up the other high level issues that I'm
struggling with.

What meaning does 'responsibility' have if it is deniable?
For example, going back to something that James Donald wrote
(that I've now of course read many times):

"Let us suppose we manage to get in place an email system
where all email is authenticated by a public key, but
not signed by a public key - that is to say, the
recipient knows what key it came from but cannot prove
this to others.  We assume entities are ultimately
identified by their key, not by a "true name" that is
somehow bound to the key."

Can somebody (other than James I guess, since he's
frustrated by trying) explain to me what the above means?
As I understand things, nothing can be "signed by a
public key", only by a private key.

I do assume that identities (I hope the "entity" term
doesn't add any variation) are ultimately 'identified'
(bound, established - not sure what terms to use
here) by their private key (the unsealer equivalent).
As others likely know by now, I often go back to my
extra terrestrial example to help clarify things.
 From the far reaches of the galaxy I receive a
public key.  I can send off a message encrypted with
that public key, including a nonce and my public
key.  I get back a message encrypted with my public
key that includes a decryption of the nonce.  At that
point I believe I've established communication with
an 'identity' ("entity"?).  Have I got this much
right (starting to go back to more basic assumptions)?

Are people concerned that at that point any content
in the received message (besides any substantive content
that might have been included with the 'nonce' that
is now signed) could be deniable?  That to have true
deniability the content itself would have to be signed?
That is, the entity at the other end answered my
challenge with the signed nonce, so I can be confident
that 'it' was in control over the rest of the content
that it encrypted (but did not sign) for me (the
"channel"? content?), but I cannot prove this to others
who weren't involved in the establishment of the
'authenticated channel'?

I hope we're all on the same page with the above.
Unfortunately I don't understand how it might be
relevant to our discussion, but when Pierre asked
the question I thought I would embellish it a bit
(hopefully for additional clarify and not obfuscation,
though even then a point of confusion might be
visible) to see if all the words fall into place -
or not.

Back to Pierre's question, undeniable responsibility
(how the "authentication" term applies I'm not sure,
as I think of "authentication" as a process applied
to a channel) was part of my initial goal.  E.g. in
the fire alarm example, the building manager wants
to be able to demonstrate (not just know?) that Alice
is responsible for setting off the alarm - whether
directly or with a permission delegated to Bob (again
undeniable, though the identity 'Bob' may be otherwise
unknown, just another entity on the other side of the
galaxy).

--Jed  http://www.webstart.com/jed-signature.html

More information about the cap-talk mailing list