[cap-talk] delegatable-with-probable-cost capabilites

David Hopwood david.hopwood at industrial-designers.co.uk
Sun Jan 27 23:51:59 EST 2008 

ross mcginnis wrote:
>> Date: Mon, 28 Jan 2008 00:19:56 +0000
>> From: david.hopwood at industrial-designers.co.uk
>> To: cap-talk at mail.eros-os.org
>> Subject: Re: [cap-talk] delegatable-with-probable-cost capabilites
>>
>> ross mcginnis wrote:
>>> Hello all,
>>>
>>> I have been thinking about non-delegatable password capablilities in
> .....
>>> who delegates such a capability can potentially lose their bond.
>> I would like to respond more constructively to your post, but I don't
>> see any discussion of motivation (given that you don't claim it is
>> workable as an anti-spam scheme, and do not present any other example).
> 
> Hello,
> 
> Here is clearer example of where you can you use a delegatable-with-cost-cap
> in a person-person* network (in this example the password cap is a tractor's
> start key).

Thanks, I think this example clarifies the issues better.

> Ted is a farm equipment lessor. He leases out his $250000 harvestor at a rate
> of $5000/month.
> Now Ted has two conditions that he wants fulfilled -
> 1) because the harvester so expensive he only wants people that are trained
>    operators using it. He personally trains each lessee out in the back
>    paddock for a few hours just to make sure that he knows that they can
>    drive it without damaging it.
> 2) he wants to be sure that a lessee doesn't sub-lease it. Ted reckons that
>    he and he alone deserves the money that can be made out of his machine.
> 
> Ted could use the following delegatable-with-cost-cap scheme to meet these
> requirements:
> 
> The lessee is required to lodge a $10000xno.-months-leased cash bond. Ted
> places this bond a publicly accessable safety box in the front entrance to
> his office. The safety box lock is opened by the exact same key that starts
> the harvestor. Because of this bond requirement it is highly unlikely (though
> not impossible) that any lessee would pass the key onto a third party.
> Thus Ted is quite confident that the only person to use the equipment is
> the lessee and that it will not be sub-leased.

I'm unconvinced that Ted should be confident of this. Suppose that Alice
has leased the tractor to Alice, and Alice wants to sub-lease it to Bob.
It can be a condition of the agreement between Alice and Bob that Bob
will not collect the bond.

You may argue that Bob could cheat Alice. But there are any number of ways
Alice could convince Bob that it is not in his interest to collect the bond.
For instance, she could require another bond from Bob herself (while still
undercutting Ted's terms). Note that since Alice has only sub-leased to
Bob, it can only be Bob (or possibly Ted) who has cheated her if the
original bond is claimed.

> Furthermore, everyday he checks the safety-box, if the money is missing
> then he knows that the key has been delegated- though this would rarely happen.
> If the cap has been delegated he revokes the cap (ie: he changes the locks).
> Of course if is possible that the key has been delegated but the money is
> never taken- though this is unlikely.

I don't agree that we can say that this is unlikely. It depends entirely on
the trust relationship between the delegator and the delegatee (Alice and
Bob in the above).

-- 
David Hopwood

More information about the cap-talk mailing list