[cap-talk] Implementing a crypto brand: What are the security requirements?

[Tyler Close]

On 3/23/07, Mark Miller <erights at gmail.com> wrote:
> To avoid a conflict, Tyler is now looking for another name
> for the concept he was calling "Brand".

I think I'm going to rename it "Purpose".

A ( sealer, unsealer ) pair is often created so that the recipient of
a sealed reference can ensure that the creator of the referenced
object shared the same purpose. For example, consider the use of the (
sealer, unsealer ) pair in the IOU implementation at:

http://waterken.sourceforge.net/javadoc/src-html/org/waterken/iou/limited/Limited.html#line.75

In this code, the unsealer is used by the TermsX implementation to
ensure that a received PurseX was produced by code that also intends
to prohibit inflation of the number of outstanding rights. Or in other
words, the TermsX code will only operate on a PurseX that shares the
same purpose.

In general, a ( sealer, unsealer ) pair is like a reference that
accepts messages for some referent, but doesn't deliver them to the
referent. The caller must communicate the sealed message to the
referent. So a sealer commits a message to some purpose, but doesn't
actually act on it.

A source of bugs when using a ( sealer, unsealer ) pair is reusing the
same pair for multiple purposes. Such a bug was found by Hal Finney in
MarkM's original MintMaker example. Naming the ( sealer, unsealer )
pair "Purpose" might also help reinforce the design principle that
each one should be used for only one purpose.

There's now the issue of what to name the Purpose maker. It's awfully
tempting to call it "Will" and give it a method named "create". ;) I'm
only half joking, so somebody better come up with a better name fast.

Tyler

-- 
The web-calculus is the union of REST and capability-based security:
http://www.waterken.com/dev/Web/

Name your trusted sites to distinguish them from phishing sites.
https://addons.mozilla.org/firefox/957/