[cap-talk] A problem in EQ-free grant matcher?

[Jim Larson]

Dean Tribble's EQ-free solution to the grant matcher problem (cap-talk list
on 2006-12-11) goes as follows:

1. Alice and Dana provide capabilities (A and D, respectively) for their
respective charities to the Grant Matcher (GM).

2. GM creates a new sealer/unsealer pair, and seals a donation purse P with
the sealer, resulting in a sealed box B.

3. GM passes the sealed box B to A and the unsealer U to D.

4. If A and D are references to the same underlying charity C (or
transparent forwarders to C), then C will be able to unseal B to get the
donation purse.

However, what if D is a corrupt partial forwarder controlled by Dana?
Instead of relaying U to C, D could instead substitute a false unsealer U'.
Once C calls U'.unseal(B), Dana has both the unsealer and the sealed box,
and can run off with the purse!

I have a solution, but the margin of this email is too small to contain it.
I'll try to write it up over the weekend.

Jim Larson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20080215/73a784a8/attachment.html