[E-Lang] Irreversible delegation, was: draft statement of
Mark S. Miller
Thu, 08 Feb 2001 13:09:08 -0800
At 09:54 AM Thursday 2/8/01, firstname.lastname@example.org wrote:
>> 2. We all agree there is at least one security relationship that
>> capabilities cannot create, even in theory. This is the one Ralph Hartley
>> identified that Mark Miller agrees with. We also agree that this one is not
>> of practical importance. We also agree that there may be others that might
>> be of practical importance, though there is no agreement that others have
>> been found.
First, just to keep us all in the same discussion, I'm changing the names in
Hal's message below so that it corresponds to our standard scenario
http://www.erights.org/elib/capability/conspire.html . Hal, if I
unsuccessfully mapped your scenario to the standard one, please let us know.
>At the risk of re-opening a closed discussion, I'm not sure I agree
>with all parts of this.
>The question is one of irrevocable delegation. If Bob has a capability
>to access [the Power] in certain ways, can he transfer it to [Mallet] in such a
>way that he is guaranteed not to be able to interfere with it in the
This is sort-of the question, but you have the parity flipped. Everyone
agrees that, under normal circumstances, a capability system enables Bob to
engage in an irrevocable transfer. The rest of your message assumes this is
good, as it normally is. The question is: Can Alice arrange to give Bob the
power in some special way, so as to prevent Bob for delegating it to Mallet
irrevocably? We assume that Alice isn't in a position to confine Bob, or
we'd be in the Confinement scenario, rather than the Communicating
Conspirators scenario. Because Alice must assume that Bob and Mallet are in
communication by a path she has no access to, she may neither interfere
with nor monitor communication between Bob and Mallet. Therefore, we all
agree, she cannot prevent Bob from delegating to Mallet.
Further, we assume that Bob and Mallet wish for Bob to delegate to Mallet
irrevocably. It is this wish Alice would like to thwart. Can she? Within
the capability formalism, I don't see how. However, one can imagine
security architectures or situations in which Alice may impose this
constraint on Bob. Some examples are given on the page at the above URL.
Please reread this page. I fear I'm repeating myself rather than contributing
>First, I don't agree that this is unimportant. In the real world
>irreversible delgation plays a significant role. In a broad sense,
>every transfer of property is irreversible delegation. A more specific
>example is adding someone as a co-owner of property like real estate
>or a bank account. Such transfers delegate ownership authority in an
No one is arguing that irrevocability is unimportant. The question is: Is
Alice's ability to prevent Bob from making the delegation irrevocable *by
Bob* unimportant? I'd love to see a scenario that made its importance
>Second, it seems to me that capabilities can express this kind of
>delegation as well as anything else. After all, with an ACL if Bob
>just tells [Mallet] that he's given [him] ownership access to a [power] on
>Alice, that doesn't prove that he really did it. [Mallet] needs to be
>able to verify this in some reliable way with Alice.
>If we assume that [Mallet] does have a separate channel to Alice, then
>Bob can transfer a capability to [him] irrevocably with Alice's help.
>Assuming [Mallet] trusts Alice in this regard, Alice can assure [him] that
>Bob will be unable to revoke the transfer. That's essentially what
>happens with ACLs, and it looks like capabilities can do it just as well.
The assumption that Alice might knowingly cooperate with Mallet demonstrates
conclusively that you're addressing a different issue.