[cap-talk] Alice Frames Carol (was: horton questions)
Mark S. Miller
erights at gmail.com
Tue Jun 12 01:49:50 EDT 2007
[Resending because my local clock was screwed. Sorry for the duplication.]
Peter Amstutz wrote:
> A couple other questions:
> * One aspect of the Horton paper I don't quite understand is the need
> for an extra interaction between Bob and Carol to fetch the actual
> capability. As you can see I omitted it in my description above in
> favor of encrypting the capability directly, but I would like to know
> why that was considered necessary.
An excellent question. Others have been puzzled by this as well. On the page
"Alice Frames Carol"
<http://erights.org/elib/capability/horton/framing-carol.html>
I have simplified the Horton code in the way you suggest, and demonstrate the
attack that this simplification enables. For continuity, you should read it in
the sequence
http://erights.org/elib/capability/horton/base.html
http://erights.org/elib/capability/horton/nary.html
http://erights.org/elib/capability/horton/framing-bob.html
http://erights.org/elib/capability/horton/framing-carol.html
The code on each page is a minor variation on the previous, with the changes
marked. It illustrates the following brief explanation in the Horton paper:
Carol's S2 should at least gift-wrap S3 so only Bob
can unwrap it. Could we simply use the seal/unseal
operations of Bob's who/be pair as the wrap/unwrap
functions? Unfortunately, this would still enable Alice
to give Bob a gift allegedly from Carol, but which
Bob unwraps to obtain a faux S3 created by Alice.
Does this page help clarify this explanation?
Thanks for raising this!
--
Text by me above is hereby placed in the public domain
Cheers,
--MarkM
More information about the cap-talk
mailing list