[E-Lang] Quantum computing and capabilities
Sat, 3 Feb 2001 12:45:31 -0000
Bill Frantz wrote:
> At 11:27 AM 2/2/01 -0000, Tyler Close wrote:
> >Bill Frantz wrote:
> >> Sturdy references consist of a vat-id, a swiss-number, and
> >> vat location
> >> hints. The bit problem with symmetric-key only-sturdy
> references is
> >> verifying the identity of receiving vat. If you share
> >> sturdy references,
> >> any sturdy reference can spoof the object, since it knows
> >> the shared secret.
> >Just to clarify this, I think you are saying that if Alice has a
> >symmetric-key cap for Bob, and passes this symmetric-key
> cap to Carol,
> >Carol gets the ability to access Bob, and to be Bob. To avoid this,
> >Alice must pass Carol a new symmetric-key cap for Bob.
> >It is ok that Alice can impersonate Bob to Carol. It is within the
> >definition of capability based security that Alice can
> introduce Carol
> >to a Bob of Alice's choosing.
> >I thought some might be misled by the statement: "The bit
> problem with
> >symmetric-key only-sturdy references is verifying the identity of
> >receiving vat." It definitely took me a moment to digest this
> >distinction when I first learned it. I think this
> distinction is also
> >what makes the requirements for capability based security relaxed
> >enough to permit a symmetric key solution.
> The problem isn't that Alice can be Bob to Carol. The
> problem is that
> Carol can be Bob to Alice. Consider that someone might
> want to publish a
> public capability in the New York Times. With the current sturdy
> reference, everyone agrees about which vat is hosting that
> capability (even
> if some wily editor changed the sturdy reference during the
> process). With symmetric keys, anyone who reads the New
> York Times can be
> that vat.
Yes, I was agreeing with you. I was just trying to restate your
argument such that a particular distinction that I find very
interesting was made more obvious. The ", and to be Bob" part in the
first paragraph is the New York Times issue.
The point that the second paragraph makes is what I find to be the
very subtle part of capability based introductions that makes them so
flexible. This is the same subtlety that Ralph Hartley was asking
about in the Quantum Computing thread.