Communicating Conspirators

hal@finney.org hal@finney.org
Sat, 20 Nov 1999 17:31:46 -0800


Chip Morningstar, <chip@communities.com>, writes:

> Indeed, it is useful to have a language to express what your security
> desires are.  One of the ongoing discussions I have had with MarkM and
> Dean and a few of the others who first introduced me to the capability
> paradigm, is that I feel there is a need to have a way for programs
> to talk to each other *about* capabilities without mentioning the
> capabilities themselves. The principle of never separating designation
> from authority (which, BTW, though it may sound otherwise in this note,
> I strongly agree with) makes it difficult for one entity to express a
> desire to another about a specific object, even if the very existence of
> that object is provisional or hypothetical. So it is hard for Bob to say
> to Alice, "please give me access to Carol" because Bob can't designate
> Carol to Alice without already having access to Carol.

Could you have weak capabilities which point at Carol but don't allow
you to do anything?  I could see Carol broadcasting or encouraging the
distribution of capabilities which point to her but allow only some kind
of weak status queries.  Then there could be more powerful capabilities
which would allow her clients to request her to perform actions.

On the web you might want to distribute capabilities to allow users
to read your web pages, but to have more limited capabilities that
would allow people to annotate or change web pages on your server.
Then someone could use the restricted capability to indicate which object
he was requesting a more powerful capability for.  (Does the Droplets
system do this?)

This would have to be done on a case by case basis though, each object
providing a "denotational" capability for this purpose if it seemed
useful.

Maybe what you are suggesting is that there should be an operation
which can transform any capability into a weakened one which can't be
used to perform any operations.  However there would be a test similar
to the equality predicate which would ask whether a weakened capability
corresponds to a given regular capability.  That way you could say, please
give me the regular capability that corresponds to this weakened one.

Hal