[E-Lang] Hash Chaining & Capabilities, Proposal #2d: Deputizing Remote Vats

Mark S. Miller markm@caplet.com
Mon, 13 Nov 2000 12:20:59 -0800 

At 11:38 AM 11/13/00, Bill Frantz wrote:
>At 08:44 AM 11/11/00 -0800, Mark S. Miller wrote:
>>...Is there a compelling 
>>need for off-line certificates?  Do they address a real problem?)
>
>There may be places where a device can listen, but not send.  The classic
>example is a missile submarine silently waiting orders to fire.  Similar
>situations may occur in other military contexts.
>
>There may be similar non-military situations.  For example, a system which
>transmits thru anonymous remailers, and receives thru
>alt.anonymous.messages may have slow enough round-trip times to be
>practically offline.
>
>Also, radio receive-only devices require a lot less power than
>transmit/receive devices.  Power requirements may produce a one-way
>communication economic niche.  Wide geographic access may also require a
>one-way broadcast solution.  (Think cell phone towers in Antarctica.)
>
>Thinking further out, Moon/Mars/Alpha Centauri/Andromeda communications
>give expanding turnaround delays.

These are great answers!  I'm convinced; off-line certificates are useful!  

Although authorization-chain-based certificates are less private than 
on-line messages in one way -- they must reveal the authorization chain to the 
resource host (VatC) in order to exercise their rights (send a message to 
Carol) -- several of your answers make clear that they're more private in 
other ways.  Secret-based bearer certificates (as opposed to 
authorization-chain-based, as in your example of a Pluribus message sent by 
PGP email) would seem to have the best privacy features of both worlds.  

Of course, authorization-chains also give strong auditability, which we give 
up with bearer certificates.  Are there any other reasons for preferring 
authorization-chain certificates?  Did the SPKI or E-Speak 3.0 folks ever 
consider secret-based bearer certificates?  Did the idea ever come up in the 
x509 world?  Why not?  They are also a lot cheaper.

Desire for auditability is certainly an adequate answer -- auditability is 
important!  However, I rarely hear this issue mentioned by anyone other than 
Bill.


        Cheers,
        --MarkM