[E-Lang] Irreversible delegation, was: draft statement of consensus

hal@finney.org hal@finney.org
Thu, 8 Feb 2001 14:37:08 -0800

Mark M. writes, quoting Hal:
> >The question is one of irrevocable delegation.  If Bob has a capability
> >to access [the Power] in certain ways, can he transfer it to [Mallet] in such a
> >way that he is guaranteed not to be able to interfere with it in the
> >future.
> This is sort-of the question, but you have the parity flipped.  Everyone 
> agrees that, under normal circumstances, a capability system enables Bob to 
> engage in an irrevocable transfer.  The rest of your message assumes this is 
> good, as it normally is.  The question is: Can Alice arrange to give Bob the 
> power in some special way, so as to prevent Bob for delegating it to Mallet 
> irrevocably?

I see.  I'm sorry, I had the issue backwards.  It isn't whether
irrevocable delegation is possible, it's whether it can be prevented.

We accept that delegation can't be prevented (due to proxying); the
question is, can we set things up so that the ONLY way Bob can delegate
to Mallet is by proxying for him.  ACL systems claim to do so, since
they won't let Mallet access Alice directly, so he must have Bob's help
for each access.  Capability systems can't do so since Bob can just hand
Mallet any capability he has.

I agree that I can't come up with any plausible situations where this
is a useful power.