[cap-talk] NDAs
Toby Murray
toby.murray at comlab.ox.ac.uk
Wed Jun 10 04:46:52 EDT 2009
On Tue, 2009-06-09 at 15:19 -0700, Charles Landau wrote:
> Toby wrote:
> > Now the point I was making earlier is that even if one doesn't have a
> > cap system with use-once resume capabilities, that one can simulate
> > resume caps by using nonces instead. NDA creates a fresh nonce each time
> > it invokes Bob, passing this nonce to Bob. It then waits for an
> > invocation that contains this nonce. The nonce then acts similarly to a
> > use-once resume key.
>
> I understand that. But you said such non-delegable authorities "*can be
> built*" [emphasis mine]. The general right to reply to invocations via
> the start capability called "Bob" cannot be built. I believe in KeyKOS
> and its descendants, any authority that can be built can be delegated.
Ah I see where the disconnect is coming from. By "built" I mean "I can
build an object that provides this authority". NDA provides this
authority by performing the actions I described in my previous messages
in response to being invoked by other objects/processes. Hence its name
-- it embodies non-delegatable authority.
The actual authority that is non-delegatable is the right to invoke
Carol without Bob being able to intercede. Bob is forced to proxy to
share the authority that NDA gives him to invoke Carol, which is
entirely the point.
More information about the cap-talk
mailing list