Mark S. Miller
Tue, 23 Nov 1999 13:56:24 -0800
At 11:45 AM 11/23/99 , Ralph Hartley wrote:
>Suppose before Alice gives Bob a power, she insists that bob let her
>examine his source code, and verifies that no information Bob receives
>from Mallet can ever affect Bob's use of the power. This example
>violates your other assumption ...
This example does indeed violate an assumption -- the assumption that is the
whole premise of the thread. This thread is named "Communicating
Conspirators" specifically in reaction to
http://www.erights.org/elib/capability/conspire.html rather than
http://www.erights.org/elib/capability/confinement.html . Ralph, the claim
I took you to be challenging is the claim on the first of these links --
that *if* Alice is not in a position to confine Bob, or be assured that Bob is
confined, *then* she cannot prevent Bob from further delegating this power
to Mallet. On the second link we concede -- indeed we proudly proclaim --
that if Bob can be confined to Alice's satisfaction, then Alice can indeed
be confident that Bob cannot delegate the power to Mallet. Your example
above is a means of implementing confinement. It is actually fairly close to
the "auditor" technique E uses for confinement.
We further claim http://www.erights.org/elib/capability/dist-confine.html
that there are severe limitation on the conditions under which Alice can
obtain confidence of Bob's confinement. I suspect that this may be where
the substantive disagreement lies.
In any case, I hope you are correct that our claims may be narrow enough to
be correct. I would not have it otherwise. Let us stay on track wrt what
narrow claims we are making that you are trying to refute.