[cap-talk] Introduction by default (was: Re: binder ipc )
Karp, Alan H
alan.karp at hp.com
Wed Dec 28 20:38:21 PST 2011
Jed Donnelley wrote:
> > That being said, the kernel can provide an unforgeable identity with
> > each invocation that can lead to a simpler protocol. For example, in
> > an introduction by default system, Alice could distinguish invocations
> > from Bob and Carol without needing sealed boxes.
> It seems to me the above sentences contradict the immediately previous
If the kernel provides the identity of the sender to the recipient, then a man-in-the-middle attack isn't possible. If I recall correctly, the most complicated part of Horton was needed to prevent that.
> Perhaps it would help me to understand if you could further explain what
> you mean by an "introduction by default" system.
There are two options, introduction by default and proxy by default. Almost all capability system, such as E and waterken, are introduction by default systems. By that I mean, Bob delegates to Alice a reference to Carol, and Alice's invocations on that reference go directly to Carol. Client Utility did proxy by default, in which Alice's invocation of Carol was via Bob.
> It would help me in understanding your description if you would refer to
> the corresponding points in the Horton paper. My specific focus of
> concern is the point (near the upper right of page 3, referring to
> figure 2):
> ...Alice is saying in effect "Carol, I'd like to share with Bob my
> access to C. Could you create a stub for Bob's use?" Nothing forces
> Alice to share her rights in this indirect way; Alice's P1 could just
> give Bob direct access to S2. But then Carol would necessarily blame
> Alice for Bob's use of S2, which Alice might not like.
Having Carol create a stub for Bob is needed if Carol is to distinguish invocations by Bob from those by Alice. However, even the second scenario is an example of introduction by default because Bob's invocations go directly to S2.
> Of course we understand in the above that this description is
> metaphorical. It isn't actually a person Alice speaking to a person
> Carol, but rather an object (I prefer "active object" or process, but
> I'll stick with the simple 'object' term from the Horton paper), A,
> acting on behalf of a responsible entity (a 'who'), "Alice",
> communicating with an object, C, acting on behalf of another responsible
> entity, "Carol". The acting objects A, B, and C in Horton (e.g. figure
> 2) are distinct from the 'who' objects for Alice, Bob, and Carol.
I've been using Alice, Bob, and Carol as names for objects, which is not a good idea when discussing Horton.
> I have some questions about "introduction by default" systems such as
> you refer to:
> 1. How do such systems distinguish responsible entities (the Horton
> "who"s) from other objects? What corresponds to the "who" object? How
> can whatever corresponds to the "who" be communicated, wrapped,
> revoked, etc.?
They can't because there is nothing that corresponds to the "who" object.
> 2. How does responsibility tracking (in Horton the ability to identify
> an authority that's been communicated from Alice to Bob to David and
> even perhaps back to Bob) work in introduction by default systems?
It can't unless you do something special, such as getting a separate reference to the object for each delegation.
> Perhaps once I better understand the basic idea of "introduction by
> default" systems such questions will be easy for me to answer for
> myself. Thanks for any clarification.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
More information about the cap-talk