Thoughts on droplets v. Notes
Tue, 2 Nov 1999 12:37:49 -0800 (PST)
> For my edification, is there a reason to believe
> that Swiss numbers are
> preferable to cryptographically signed
> capabilities from the standpoint of
None that I know of. I actually spent some time trying to
implement with signed identifiers rather than Swiss numbers
in the belief that this would create a simpler design with
faster authentication. I switched for two reasons. First, I
realized that I still needed the lookup table in order to
anchor objects that had been exported so that they did not
get garbage collected. Second, a signed identifier created
a much longer URL, which made them tougher to pass around.
> > If an object identifier is unguessable and only
> > communicated over secured channels, then it is a
> > capability.
> I'm not clear that the "only communicated over
> secure channels" constraint
> is required. It doesn't appear to me to be
> satisfied by E/Pluribus or
> Droplets, because the endpoints are not secure.
The 'only communicated over secure channels' constraint is
to ensure that a party can only acquire a capability if
another party possessing the capability has explicitly
passed it to them.
Both SSL and Pluribus provide secure transmission of a
capability to the client's TCB. Securing the client's TCB
from attackers is outside the scope of the provided
I believe a linux server running only apache, SSL, and SSH
is a secure endpoint. It is up to the client to use a
similarly secure endpoint. This is a market that I hope
EROS will one day service.
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com