[cap-talk] mailkey: transfer of accountability. Is this broken ?? should I start from scratch/horton ?

[Karp, Alan H]

James A. Donald wrote:
> 
> This could, of course, merely be the incomprehension of the 
> non expert 
> denigrating the expert, but the fundamental problem is that 
> "responsibility" cannot be everywhere well defined or adequately 
> tracked, and so attempts to do so are likely to get us into 
> bottomless mud.

You are correct that responsibility cannot be everywhere well-defined,
but it can be locally well-defined, which is what Horton does.  Think of
every connection between a proxy and a stub as the embodiment of some
contract.  In the final state in the Horton paper Carol has contract
with Alice and a separate one with Bob.  As long as Carol can
distinguish requests from Bob from those made by Alice, Carol knows
which contract is in effect for that request.  

For example, say that Carol's contract with Alice calls for Alice to pay
a $50 penalty for misuse of Carol's service.  If Alice transfers to
David her capability to use Carol's service, and David misuses Carol's
service, Carol collects from Alice, not David.  That's the difference
beween assigning responsibility locally versus everywhere.  It goes
further.  Say that Alice introduces Bob to Carol via Horton.  If Bob
misuses Carol's service, and Carol does not have knowledge of Bob that
is independent of Alice, Carol will collect try to collect from Bob, but
if he doesn't pay, Carol will get her money from Alice.  Once again,
Carol bases her decision only on local information.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp