Comments on FC00 paper

Mark S. Miller markm@caplet.com
Tue, 02 Nov 1999 15:08:33 -0800


At 02:27 PM 11/2/99 , Marc Stiegler wrote:
>I have this suspicion this is a trick question. But here is a quicky
>implementation, attached at the bottom.

Well, I at least tricked you into revealing where you were making a bad
assumption.  An essential/required property of the sealer/unsealer mechanism
is that, starting from just a sealed box, or even from a sealed box together
with the sealer that sealed it, one must not be able to obtain the contents
of the box.  Starting from a sealed box and the unsealer that corresponds to
the sealer that sealed it, one can obtain the contents of the box.  If you
can obtain the box's unsealer from the box, then you can obtain the box's
contents starting from just the box, and all the security properties disappear.

You may want to reread
http://www.erights.org/elib/capability/ode/ode-capabilities.html#rights-amp ,
ftp://www.agorics.com/pub1/agorics/postscript/MANUAL.B17.ps.Z , or
http://www.mumble.net/jar/pubs/secureos2.html

> >     def sealedBox {
> >         to getSealer : any {sealer}
> >         to getUnsealer : any {unsealer}
> >     }
>...
>?  def unsealerForBox1 := sealedBox1 getUnsealer
># value: <unsealer>



         Cheers,
         --MarkM