Thoughts on droplets v. Notes

Tyler Close
Tue, 2 Nov 1999 12:37:49 -0800 (PST)

shapj wrote:
> For my edification, is there a reason to believe 
> that Swiss numbers are
> preferable to cryptographically signed 
> capabilities from the standpoint of
> security?

None that I know of. I actually spent some time trying to
implement with signed identifiers rather than Swiss numbers
in the belief that this would create a simpler design with
faster authentication. I switched for two reasons. First, I
realized that I still needed the lookup table in order to
anchor objects that had been exported so that they did not
get garbage collected. Second, a signed identifier created
a much longer URL, which made them tougher to pass around.

> > If an object identifier is unguessable and only
> > communicated over secured channels, then it is a
> > capability.
> I'm not clear that the "only communicated over 
> secure channels" constraint
> is required.  It doesn't appear to me to be 
> satisfied by E/Pluribus or
> Droplets, because the endpoints are not secure.

The 'only communicated over secure channels' constraint is
to ensure that a party can only acquire a capability if
another party possessing the capability has explicitly
passed it to them.

Both SSL and Pluribus provide secure transmission of a
capability to the client's TCB. Securing the client's TCB
from attackers is outside the scope of the provided

I believe a linux server running only apache, SSL, and SSH
is a secure endpoint. It is up to the client to use a
similarly secure endpoint. This is a market that I hope
EROS will one day service.


Do You Yahoo!?
Bid and sell for free at