Communicating Conspirators

Chip Morningstar chip@communities.com
Thu, 18 Nov 1999 11:35:27 -0800 (PST) 

>>   -- The case where Bob changes his mind later is dealt with by Bob passing
>> Mallet not the direct capability to the land but a revocable proxy. Mallet in
>> any case must assume that his is what Bob has done because it is not possible
>> for Bob to prove otherwise.
>
>Exactly. If Bob cannot pass the title to Mallet, it is not
>transferable.

Actually, Bob *can* pass title to Mallet if he wants to (assuming he has it to
pass in the first place, of course). What he can't do is prove to Mallet that
he has done so. Mallet can't know that he now has exclusivity (even if he
actually does), because Bob can't prove that he has discarded his copy of the
pointer. It is for this reason that we introduce a third party (the "title
company") when we want to effect an exclusive rights transfer.


>Can capabilities express non-transferable powers or not? If we can
>have a power that can only be exercised by a particular actor, and
>that actor is the recipient, that is a non-transferable power. I was
>taking it as given that capabilities were by definition transferable.

Actually, we are making a more radical claim, which is that non-transferable
powers do not exist. Because capabilities do not allow you to express the idea
of non-transferable powers, they are, in our opinion more in line with
reality. Since ACLs *can* express the idea of non-transferability, they permit
(indeed, encourage) the expression of fraudulent security promises.


>If capabilities can be of the form (actor, action), then anything I
>can express with an acl can be expressed with capabilities. Just give
>each actor a non-transferable capability for each action he is
>permitted to take. It could have other uses as well, for instance
>Alice might give Bob a power that can only be exercised by Mary.

The reason this is a problem is because the boundaries around an actor are not
well defined (that is, there is no clean way to demarcate who an action is
being taken by -- this is the essence of the Confused Deputy problem).  Is my
email program expressing my intentions (making me the actor) or is it
expressing the intentions of its author (making him the actor) or is it
expressing the intentions of the author of the compiler which was used to
compile the email program (making her the actor) or is it expressing the
intentions of...? Trying to pin this down is just a recipe for madness and
confusion. Any of these parties had the opportunity to have a say in what the
end behavior of the program will be. Capabilities cut through this by saying
that it is the actual behavior of the objects that needs to be controlled and
that questions of "who" are irrelevant.