[E-Lang] Hash Chaining & Capabilities, Proposal #2d:
Deputizing Remote Vats
Bill Frantz
frantz@communities.com
Mon, 13 Nov 2000 14:16:53 -0800
At 12:20 PM 11/13/00 -0800, Mark S. Miller wrote:
>Of course, authorization-chains also give strong auditability, which we give
>up with bearer certificates. Are there any other reasons for preferring
>authorization-chain certificates? Did the SPKI or E-Speak 3.0 folks ever
>consider secret-based bearer certificates? Did the idea ever come up in the
>x509 world? Why not? They are also a lot cheaper.
I don't think the SPKI/x509 people ever thought about secret-based bearer
certificates. The original x509 idea was to certify identity (e.g the web
server you are talking to is really run by foo.com). If the secret is a
shared secret, now anyone who can verify the identity can assume it, a bad
idea. The SPKI people specifically did not want to require certificate
encryption, so shared secret approaches were out there as well.
One interesting bearer technology is the offline Digicash protocol. (This
protocol was not published by Digicash because it permitted double
anonymity, and the social implications worried David Chaum.)
The Digicash protocols involved 3 parties, a buyer (Alice), a seller (Bob),
and the bank. In the online protocol:
(1) Alice makes a coin using a large random number, blinds the coin, and
sends it to the bank.
(2) The bank adjusts Alice's bank account, signs the coin, and returns it
to Alice.
(3) Alice removes the blinding, and sends the coin to Bob.
(4) To protect from double spending, Bob must immediately clear the coin
with the bank, which is why the protocol is online. Bob can be identified
if Alice and the bank cooperate.
The offline protocol modifies the online protocol by:
(0) Bob creates the coin, blinds it, and sends it to Alice.
(1) Alice also blinds it with her own blinding factor.
...
(4) Bob unblinds the coin. Since he is the only one who knows how to
unblind the coin, he is protected against double spending. He does not
need online clearing. Since the coin Alice spent was blinded by Bob, he
can not be identified.
Note that the offline protocol can easily be implemented without the
cooperation of the bank.