[cap-talk] Implementing a crypto brand: What are the security requirements?

Tyler Close tyler.close at gmail.com
Fri Mar 23 18:50:59 CDT 2007

Hi David,

It'll take me awhile to digest the crypto part of your message, but in
the meantime I need clarification on another part.

On 3/23/07, David Hopwood <david.nospam.hopwood at blueyonder.co.uk> wrote:
> Tyler Close wrote:
> > Correct. I renamed this attribute to label and changed its type to
> > String to better communicate that this attribute does not offer any
> > guarantees that can be relied upon.
> Changing the type to String prevents the use of private (i.e. closely
> held or anonymous) Brands. I don't see any good reason to do that.

I don't understand how this change prevents the use of private (
sealer / unsealer ) pairs. Please elaborate.

In Joe-E, a org.joe_e.Token is used for an object having only identity
for purposes of rights amplification. My changes to the brand API
don't affect this use.

In Joe-E, a java.lang.String is considered data bearing no authority.
I switched the label to be of type String since clients should not
assume that possession of a label provides any authority, or any
reliable guarantee of any property.


The web-calculus is the union of REST and capability-based security:

Name your trusted sites to distinguish them from phishing sites.

More information about the cap-talk mailing list