[E-Lang] Irreversible delegation, was: draft statement of consensus

Mark S. Miller markm@caplet.com
Thu, 08 Feb 2001 13:09:08 -0800

At 09:54 AM Thursday 2/8/01, hal@finney.org wrote:
>> 2. We all agree there is at least one security relationship that
>> capabilities cannot create, even in theory. This is the one Ralph Hartley
>> identified that Mark Miller agrees with. We also agree that this one is not
>> of practical importance. We also agree that there may be others that might
>> be of practical importance, though there is no agreement that others have
>> been found.

First, just to keep us all in the same discussion, I'm changing the names in 
Hal's message below so that it corresponds to our standard scenario 
http://www.erights.org/elib/capability/conspire.html .  Hal, if I 
unsuccessfully mapped your scenario to the standard one, please let us know.

>At the risk of re-opening a closed discussion, I'm not sure I agree
>with all parts of this.
>The question is one of irrevocable delegation.  If Bob has a capability
>to access [the Power] in certain ways, can he transfer it to [Mallet] in such a
>way that he is guaranteed not to be able to interfere with it in the

This is sort-of the question, but you have the parity flipped.  Everyone 
agrees that, under normal circumstances, a capability system enables Bob to 
engage in an irrevocable transfer.  The rest of your message assumes this is 
good, as it normally is.  The question is: Can Alice arrange to give Bob the 
power in some special way, so as to prevent Bob for delegating it to Mallet 
irrevocably?  We assume that Alice isn't in a position to confine Bob, or 
we'd be in the Confinement scenario, rather than the Communicating 
Conspirators scenario.  Because Alice must assume that Bob and Mallet are in 
communication by a path she has no access to, she may neither interfere 
with nor monitor communication between Bob and Mallet.  Therefore, we all 
agree, she cannot prevent Bob from delegating to Mallet.

Further, we assume that Bob and Mallet wish for Bob to delegate to Mallet 
irrevocably.  It is this wish Alice would like to thwart.  Can she?  Within 
the capability formalism, I don't see how.  However, one can imagine 
security architectures or situations in which Alice may impose this 
constraint on Bob.  Some examples are given on the page at the above URL.

Please reread this page.  I fear I'm repeating myself rather than contributing 
new insights.

>First, I don't agree that this is unimportant.  In the real world
>irreversible delgation plays a significant role.  In a broad sense,
>every transfer of property is irreversible delegation.  A more specific
>example is adding someone as a co-owner of property like real estate
>or a bank account.  Such transfers delegate ownership authority in an
>irreversible way.

No one is arguing that irrevocability is unimportant.  The question is: Is 
Alice's ability to prevent Bob from making the delegation irrevocable *by 
Bob* unimportant?  I'd love to see a scenario that made its importance 

>Second, it seems to me that capabilities can express this kind of
>delegation as well as anything else.  After all, with an ACL if Bob
>just tells [Mallet] that he's given [him] ownership access to a [power] on
>Alice, that doesn't prove that he really did it.  [Mallet] needs to be
>able to verify this in some reliable way with Alice.
>If we assume that [Mallet] does have a separate channel to Alice, then
>Bob can transfer a capability to [him] irrevocably with Alice's help.
>Assuming [Mallet] trusts Alice in this regard, Alice can assure [him] that
>Bob will be unable to revoke the transfer.  That's essentially what
>happens with ACLs, and it looks like capabilities can do it just as well.

The assumption that Alice might knowingly cooperate with Mallet demonstrates 
conclusively that you're addressing a different issue.