Communicating Conspirators

Ralph Hartley hartley@AIC.NRL.Navy.Mil
Mon, 15 Nov 1999 11:51:21 -0800


[The following correspondence with Ralph Hartley is forwarded with 
permission.  This first message is in reaction to 
http://www.erights.org/elib/capability/conspire.html .  --MarkM]


You are making the logical error of assuming that because your
notation can not express a difference that there is no difference.

There are two unstated assumptions that you appear to make.

     All communication is two way and continuous.

     All powers can be described as the ability to send or receive a
message.

The first assumption is the less problematical one. Depending on how
it is violated it can result in a great number of different cases
which may or may not be describable in terms of capabilities, but it
does not change the results of the question you pose.

The other assumption is more important. Consider the following
scenario.

Alice wishes to allow Bob, but not Mallet (who is in communication
with Bob) to have sex with her. Unfortunately Bob's character may not
be as good as she thinks; he could actually be working for Mallet who
has designs on Alice.

Clearly the capability model has no way of dealing with, or even
properly talking about, this situation. Fortunately ACLs can handle
this easily.

I can easily think of numerous (though less graphic) situations where
I might want to grant a non-transferable power. This is why the word
"Non-transferable" appears in so many contracts. Contrary to common
belief, lawyers are not paid to litigate meaningless distinctions
(though sometimes they do).

Of course if powers are restricted to consist only of the ability to
communicate, then there is no distinction since communication is
transitive. But this restriction rules out a vast part, perhaps a
majority of things that security is needed for.

Ralph Hartley