[E-Lang] Re: Hash Chaining & Capabilities, Proposal #2d: Deputizing Remote Vats

[Mark S. Miller]

At 07:32 PM 11/14/00, David Wagner wrote:
>For instance, another good reason to prefer offline active certificates
>is to support partial disconnection.  Most people who access the net
>through a modem are only rarely connected; if you have to check with
>them online to verify all privileges they've delegated, they'll never
>be able to usefully delegate anything to anyone else.

Let's assume for the moment, as SPKI does, that the exercise of a delegated 
right is an on-line activity involving the exerciser and the resource host.  
In our terms, if Alice delegates to Bob and right to invoke Carol, no matter
whether the delegation by Alice is online or offline, let's assume the 
invocation of Carol by Bob involves an online connection between VatB and 
VatC.

If Alice delegates to Bob full access to Carol, this is just our old 
Pluribus implementation of the Granovetter diagram.  If Alice goes offline 
after delegating, no problem.  If Alice wants to delegate a subset of the 
rights represented by Carol, and there is no prearrangement on VatC for 
Alice to express the kind of subsetting she's interested in (ie, it falls 
outside the expressiveness of the SPKI subsetting language, and there is no 
pre-existing abstraction on VatC for providing the desired subset (in Norm's 
terminology, no "forseen facet"), then Alice needs to express an unforseen 
facet in code.

In E as it stands now, Alice can only reasonably arrange for such code to 
run in VatA, which creates all the disconnection problems you point out.  To 
avoid these, as inspired by Nikita's work and as explained at 
http://www.eros-os.org/pipermail/e-lang/2000-November/003911.html Alice will 
usually seek to run her subsetting agent on VatC, requiring support for 
secure mobile code, whether this happens online or off.  However, as the 
text at that URL demonstrates, the use of mobile code for active subsetting 
solves the disconnection problem fully as much in the online case as in the 
offline case.

A related real difference: In the online case, the subsetting agent must be 
loaded into VatC at time of delegation, whereas in the offline case, where 
the mobile-code is embedded in the cert, the agent isn't loaded until Bob 
wants to exercise the delegated right.

>Also, there are cases of asymmetric connectivity.  I'm thinking especially
>of folks behind a firewall who can connect out (to give an outsider an
>active certificate) but where outsiders cannot connect in (to verify
>delegated authority); in these cases, an "offline" protocol is useful.

Wow.  One could wall bang out a cert through a covert one way channel, but 
one couldn't create an on-line connection through such a channel.  Neat.  
There is lurking here a calculus of which security arrangements can hop over 
the walls created by which other security arrangements.

>In general, you can take any certificate system and replace all offline
>certificate-verification steps with an online query to the trusted
>certification authority.  Certificates are just an offline version of
>an online protocol.  There are plenty of good reasons to prefer offline
>authentication (certs) to the online protocol, and I think most of those
>will also apply to active certificates.

Btw, just to be clear.  I was never questioning the "active" part, just the 
"offline"  part.  Ever since my epiphany in Nikita's office, I was 
convinced that if I wanted offline certs at all I wanted active ones.  I'm 
now convinced of the whole proposition.



        Cheers,
        --MarkM