[E-Lang] Irreversible delegation, was: draft statement of consensus

Jonathan S. Shapiro shap@cs.jhu.edu
Thu, 08 Feb 2001 13:16:16 -0500


hal@finney.org wrote:
> The question is one of irrevocable delegation.  If Bob has a capability
> to access Alice in certain ways, can he transfer it to Carol in such a
> way that he is guaranteed not to be able to interfere with it in the
> future.

This is completely doable in a pure capability system.

The real issue here is not whether the authority can be transferred
without interference, nor whether the authority is irrevocable, but
rather what we mean by "the authority". That is, this is a problem of
authentication.

Here is how to solve the problem:

Bob transfers an alleged capability to Alice, and Alice goes to the
authenticator and says: "is this capability really a foo capability?"
The issue of non-revocation is completely seperate. It's revocable by
Bob if the contract on the capability is that it's revocable by Bob. The
problem faced by Alice is simply to confirm that the contract is what
she believes it to be.

That is, we cannot ensure non-mangled transfer, but we *can* ensure that
the capability can be validated on the recipient end, which achieves the
same objective.

By the way, this is why I do NOT accept the view that the transfer path
of a capability has any relevance to its validity.


Jonathan