[E-Lang] Irreversible delegation, was: draft statement of consensus

hal@finney.org hal@finney.org
Thu, 8 Feb 2001 09:54:17 -0800

> 2. We all agree there is at least one security relationship that
> capabilities cannot create, even in theory. This is the one Ralph Hartley
> identified that Mark Miller agrees with. We also agree that this one is not
> of practical importance. We also agree that there may be others that might
> be of practical importance, though there is no agreement that others have
> been found.

At the risk of re-opening a closed discussion, I'm not sure I agree
with all parts of this.

The question is one of irrevocable delegation.  If Bob has a capability
to access Alice in certain ways, can he transfer it to Carol in such a
way that he is guaranteed not to be able to interfere with it in the

First, I don't agree that this is unimportant.  In the real world
irreversible delgation plays a significant role.  In a broad sense,
every transfer of property is irreversible delegation.  A more specific
example is adding someone as a co-owner of property like real estate
or a bank account.  Such transfers delegate ownership authority in an
irreversible way.

Second, it seems to me that capabilities can express this kind of
delegation as well as anything else.  After all, with an ACL if Bob
just tells Carol that he's given her ownership access to a resource on
Alice, that doesn't prove that he really did it.  Carol needs to be
able to verify this in some reliable way with Alice.

If we assume that Carol does have a separate channel to Alice, then
Bob can transfer a capability to her irrevocably with Alice's help.
Assuming Carol trusts Alice in this regard, Alice can assure her that
Bob will be unable to revoke the transfer.  That's essentially what
happens with ACLs, and it looks like capabilities can do it just as well.