[cap-talk] NDAs

[David-Sarah Hopwood]

Toby Murray wrote:
> On Tue, 2009-06-09 at 23:36 +0000, Karp, Alan H wrote:
>> Toby Murray wrote:
>>> Even if Bob delegates the resume capability r that is created afresh
>>> each time NDA invokes Bob, he still cannot pass on the general right to
>>> reply to NDAs invocations of him. Hence, he must actively collaborate
>>> each time he wishes to share his authority to invoke Carol. Hence, I
>>> argue that this authority is not delegatable.
>>>
>> I believe you mean to say that "this permission is not delegatable."
>> Bob can still provide the authority to whomever he pleases.
> 
> No I meant authority, since Bob has no permission to invoke Carol.
> 
> The actual authority that Bob cannot delegate is not "the authority to
> invoke Carol" since he can clearly delegate this by passing on the
> resume capability each time he is invoked by NDA. The authority that Bob
> cannot delegate, however is "the authority to invoke Carol without Bob
> being able to intercede". This is subtle and may have no practical use
> at all, but the distinction is real.

This is a distinction without a difference, because it is possible in
most cap systems, including KeyKOS, to construct a proxy such that
everyone who relies on it can know its (immutable) implementation,
and therefore see that it does not in fact intercede.

I therefore agree with Alan's point that what you have here is a
"non-delegatable permission". (The requirement to proxy in order to
delegate the authority should not be considered an obstacle to anything
but usability.)

-- 
David-Sarah Hopwood  ⚥  http://davidsarah.livejournal.com