[cap-talk] Collaboration opportunity
dmbarbour at gmail.com
Fri Jun 10 22:09:39 PDT 2011
On Fri, Jun 10, 2011 at 8:34 PM, Dirk Pranke <dpranke at chromium.org> wrote:
> Ben said "device" ... I interpreted him to be saying that "device" ==
> "computer", and that you were the one who introduced a smartcard into
> the equation.
A smartcard is a device. It's also a card with an unpowered computer on it.
I'm not understanding your confusion.
> That said, it seems to me that whether the holder of the
> smart card is the person who put the data into the smart card is
> entirely relevant, because your whole argument depended on it.
No, my 'whole argument' doesn't depend on it. My position only depends on
the fact that the alleged 'login' grants no meaningful authority.
Assume a scenario where the card just holds a bag of capabilities, but where
<insert org> put those capabilities on the card. Whomever holds the PIN and
the card can simply copy said bag of capabilities. You might reasonably say
that bringing card and PIN together is a 'rights amplification' - that the
PIN is acting like an unsealer, and the card like a sealed value. But like
normal sealed values, you're free to promptly garbage-collect the envelope.
This is still nothing like a 'login' as most people, likely even you, would
understand it. There is no 'privilege escalation' or 'state transition'
associated with the act of putting your PIN in the card. Throwing away the
card, in this case, would make no difference at all.
It is possible to create a smartcard where you must remain 'logged in' to
use the references on the card, but those references would not fully meet
the definition of 'capabilities' (since holding such a reference would not
grant permission and means to exercise it).
whether or not one uses smartcards seems to me to be
> orthogonal to whether or not you have a capability-secured
It seems to me that it seems to you that using smartcards strongly implies
certain non-capability system uses. Evidence this discussion.
> However, I don't happen to believe that
> capabilities *must* be transferrable or copyable
Definitions aren't our personal playthings. It would be unreasonable to say
we have a 'capability system' without ability to delegate them (among
> Rather more interesting to me at least is that I am surprised that you
> don't think the system I described does not involve either identity or
> login. Can you elaborate on this?
IIRC, Rob's statement was 'identity (and thus login)', not 'identity (or
login)'. There's quite a difference between a car identifying the driver and
the driver identifying himself via login.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the cap-talk