[cap-talk] Capabilities giving up control? (was: Re: A paper on web-keys)

Anupam Simlot gurudevdas at gmail.com
Fri Jan 18 13:36:59 EST 2008 

I'm still learning about this so I might make no sense whatsoever.

On Jan 17, 2008 8:37 PM, Toby Murray <toby.murray at comlab.ox.ac.uk> wrote:
> Jed, and others who believe that non-delegatable authorities can have no
> use in security:
>
> Why does your drivers' license have your photo on it?
>
> Why does your passport have your photo on it?
>
> These are authorities that are bound to your identity such that you
> cannot delegate them to anyone else in a useful manner. You can hand
> your passport to someone else but they cannot usefully use it. Likewise
> with your divers' license.

This analogy is flawed because passports and drivers licenses are capabilities.
  (1) They are not forgeable.
  (2) They contain a reference to the original object: the photo.
  (3) They let us access properties of whatever is being referenced.
e.g. can he drive or what is his age?

> There is good reason for this. Your passport and drivers' license are,
> in one sense, statements about you, not anyone else. Hence, they
> shouldn't be usable by other people. But these statements about you
> naturally grant you authority -- authority to drive a car legally or the
> authority to leave the country.

They let one know I have the authority to leave the country or drive
the car. Indeed, they grant the bearer the access to certain
properties about me.

> On a more fundamental level, they grant
> the authority for the individual pictured to be identified as you. These
> are all non-delegatable authorities by virtue of the included photo and
> the infeasibility of impersonating your face.

I remember reading somewhere that capabilities are id systems with
descriptions on how the referenced object can be accessed.

> Convince me that passports and drivers' licenses have no need to carry
> your photo -- or more precisely, ought to be usable by people whose
> faces don't match that pictured.

Have I shown it's not possible to convince you otherwise? May be
another analogy is in order. Perhaps involving strawberry short-cake.
Access to the cake should not be delegatable because there is only so
much cake to go around.

Anupam

More information about the cap-talk mailing list