[E-Lang] Quantum computing and capabilities
Fri, 02 Feb 2001 10:58:05 -0800
At 11:27 AM 2/2/01 -0000, Tyler Close wrote:
>Bill Frantz wrote:
>> Sturdy references consist of a vat-id, a swiss-number, and
>> vat location
>> hints. The bit problem with symmetric-key only-sturdy references is
>> verifying the identity of receiving vat. If you share
>> sturdy references,
>> any sturdy reference can spoof the object, since it knows
>> the shared secret.
>Just to clarify this, I think you are saying that if Alice has a
>symmetric-key cap for Bob, and passes this symmetric-key cap to Carol,
>Carol gets the ability to access Bob, and to be Bob. To avoid this,
>Alice must pass Carol a new symmetric-key cap for Bob.
>It is ok that Alice can impersonate Bob to Carol. It is within the
>definition of capability based security that Alice can introduce Carol
>to a Bob of Alice's choosing.
>I thought some might be misled by the statement: "The bit problem with
>symmetric-key only-sturdy references is verifying the identity of
>receiving vat." It definitely took me a moment to digest this
>distinction when I first learned it. I think this distinction is also
>what makes the requirements for capability based security relaxed
>enough to permit a symmetric key solution.
The problem isn't that Alice can be Bob to Carol. The problem is that
Carol can be Bob to Alice. Consider that someone might want to publish a
public capability in the New York Times. With the current sturdy
reference, everyone agrees about which vat is hosting that capability (even
if some wily editor changed the sturdy reference during the publication
process). With symmetric keys, anyone who reads the New York Times can be