[cap-talk] the value of non-delegatable authority? one-way?

[Toby Murray]

On Mon, 2008-01-14 at 09:34 -0800, Jed Donnelley wrote:
> Toby and cap-talk,
> 
> One follow-up thought I had with regard to:
> 
> At 11:22 PM 1/13/2008, Toby Murray wrote:
> >Defence is the killer example here as far as I see it.
> 
> It isn't clear to me how your effort to create
> a non-delegatable authority by using "use once"
> capabilities helps you in providing for the
> classification needs of the defense community.

I can't think of, and have never seen, an implementation of a credential
akin to a security clearance or an ID card in the object-capability
model other than that presented in the NDA paper, building on the "use
once" return capability mechanism.

Clearances and credentials seem obvious requirements of a pervasive
computing environment for Defence. Were one to build such an environment
on top of the object-cap model, (as the Annex project is trying to do),
one would presumably need a way to implement these things in the
object-cap model. 

Hence, I see that the NDA pattern is in fact quite applicable to
defence, at least in theory.

> Of course something like the sort of classification
> monitor that Bill Frantz proposed for KeyKOS
> will support such a facility - though not between
> unconstrained communicators as you seem to be
> trying to achieve in your NDA paper.

Precisely. It is potentially likely that in a system involving mutually
suspicious coalition partners, that the objects of one partner won't be
confined from the point of view of the other partner. Hence, in these
situations, one can imagine that the NDA mechanism could be quite useful
to support the sort of natural mutual suspicion that characterises
cooperative defence deployments perhaps.