[cap-talk] the value of non-delegatable authority? one-way?

[Jed Donnelley]

Toby and cap-talk,

One follow-up thought I had with regard to:

At 11:22 PM 1/13/2008, Toby Murray wrote:
>Defence is the killer example here as far as I see it.

Any mechanism that is faithful to the defense
requirements (* and simple security properties) will
have to have a one-way communication aspect to it.
This is of course true because any program running
at one classification level will only be able to
communicate one-way to a program running at another.

There is of course no fundamental problem developing
a system with such a one-way communication property
on top of the basic object capability paradigm that
provides bi-directional communication.  Just as one
can make a use once capability (simply - not requiring
a special use of the return capability) from a base
that allows multiple use capabilities, one can make
a one-way communication mechanism out of a base that
permits two-way communication - e.g. as Bill Frantz
did with the KeyKOS classification monitor (my term
just guessed now, sorry if I got the name wrong Bill).
http://www.agorics.com/Library/KeyKos/securityInKeyKOS.html

However, when you start with the assumption of
fully bi-directional communication between Bob
and Dennis (as you seem to assume in your paper),
I don't see how you are going to effectively make
only one-way communication available with any technique,
even using "use once" capabilities like the reply
capabilities that you develop your NDA facility
around.

It isn't clear to me how your effort to create
a non-delegatable authority by using "use once"
capabilities helps you in providing for the
classification needs of the defense community.
Of course something like the sort of classification
monitor that Bill Frantz proposed for KeyKOS
will support such a facility - though not between
unconstrained communicators as you seem to be
trying to achieve in your NDA paper.

--Jed  http://www.webstart.com/jed-signature.html