Tue, 16 Nov 1999 14:42:00 -0500
> -- The case where Bob changes his mind later is dealt with by Bob passing
> Mallet not the direct capability to the land but a revocable proxy. Mallet in
> any case must assume that his is what Bob has done because it is not possible
> for Bob to prove otherwise.
Exactly. If Bob cannot pass the title to Mallet, it is not
> >Suppose the power Alice gives Bob is the ability to communicate
> >PRIVATELY with Alice. Bob can relay massages for Mallet, but the
> >communication is no longer private; Bob could listen in. Adding
> >encryption can't help because Alice would have to agree to add another
> >layer of encryption to an already secure channel (which if she is
> >interested in keeping Bob from transferring his power she will not
> >do). Bob could give Mallet all the encryption keys but Alice will only
> >accept communication routed through Bob (or broadcasted so bob can
> >recieve it), and she uses symmetric encryption so that if Bob keeps
> >the keys he can still read everything.
> This is subtle. The power than Alice has given to Bob is the ability for Bob to
> communicate privately with Alice, not for anybody to to do so. Bob is free to
> pass this power to Mallet, but he can only pass the power that he actually
> has. Thus what Mallet acquires is still the power for Bob to communicate
> privately with Alice. Communications that Alice receives over this channel
> are, from Alice's perspective, still communications from Bob, even if they were
> actually sent by Mallet. Bob cannot pass to Mallet the power for Mallet to
> communicate privately with Alice because he does not possess this power in the
> first place.
Can capabilities express non-transferable powers or not? If we can
have a power that can only be exercised by a particular actor, and
that actor is the recipient, that is a non-transferable power. I was
taking it as given that capabilities were by definition transferable.
If capabilities can be of the form (actor, action), then anything I
can express with an acl can be expressed with capabilities. Just give
each actor a non-transferable capability for each action he is
permitted to take. It could have other uses as well, for instance
Alice might give Bob a power that can only be exercised by Mary.
If, on the other hand, capabilities are always transferable, then the
power (bob, communicate privately with Alice) that was given to bob
is a meaningful power which is not a capability, and cannot be
expressed in terms of capabilities.
After all, I did not claim all powers can be made enforceable
non-transferable, some cannot. I only said that some can.
I would tend to resolve the conflict by allowing non-transferable
capabilities, bearing in mind that the restriction may or may not be
enforceable. Presumably anyone giving out a non-transferable
capability would want to verify that it was enforceable.
This would, unfortunately, mean that capabilities could not be
implemented as references, since a reference (by any reasonable
definition) can be transferred.