[E-Lang] Irreversible delegation, was: draft statement of consensus
Thu, 8 Feb 2001 21:39:30 -0700
Since this discussion seems to be taking multiple turns, I will, unless a
miracle occurs, invoke the procedure I spelled out several days ago, and
remove item 2 from the Statement of Consensus which I will be formally
publishing tomorrow. Any resolution on this discussion can be included in a
Uh, the definition of a "miracle" would, I think, be that Alan and Hal both
send me email saying to include item 2 without change. This assumes no one
else jumps into the fray or requests that I remove item 2, in which case
item 2 remains toast :-)
----- Original Message -----
From: Karp, Alan <email@example.com>
To: <firstname.lastname@example.org>; <email@example.com>
Cc: <firstname.lastname@example.org>; <email@example.com>
Sent: Thursday, February 08, 2001 6:15 PM
Subject: RE: [E-Lang] Irreversible delegation, was: draft statement of
> Isn't rights amplification an issue? Here I've set up a scenario in
> which one of the conspirators loses any benefit obtained by giving up
> the power irrevocably. Hence, Alice "prevents" Bob from doing
> irrevocable delegation. I'd also like to turn the story around, so that
> the conspirator benefits only by giving up the power irrevocably. That
> should have the same result as Alice requiring Bob to delegate to Mallet
> irrevocably. Unfortunately, I don't see how to do it.
> Bob has the right to the can; Carol has the right to the can opener.
> Bob and Carol never heard of each other. Bob is willing to proxy for
> Mallet; Carol is willing to proxy for Mallet. The tuna is safe from all
> three. Bob gives Mallet the right to the can. Mallet can ask Carol to
> combine her right to the can opener with his newly obtained right to the
> can. Now, the three conspirators can make their tuna casserole. (Side
> question. Doesn't the SPKI do not delegate bit prevent this misuse?)
> Note that Mallet and Carol have no need to invite Bob to the banquet.
> Bob can't revoke the privilege he gave to Mallet, so he has no recourse.
> If there is no honor among thieves, then Bob won't give Mallet the right
> to the can. Why should Mallet get all the goodies? (I'm assuming no
> side payments. Is that fair?) Alice's tuna is protected because the
> only way that Bob can give Mallet what he needs to get the tuna is to do
> so irrevocably.
> Is this reasonable? Can anyone see how to turn the story around so Bob
> only benefits from irrevocable delegation?
> Alan Karp
> Principal Scientist
> Decision Technology Department
> Hewlett-Packard Laboratories MS 1U-2
> 1501 Page Mill Road
> Palo Alto, CA 94304
> (650) 857-3967, fax (650) 857-6278
> > -----Original Message-----
> > From: firstname.lastname@example.org [mailto:email@example.com]
> > Sent: Thursday, February 08, 2001 2:37 PM
> > To: firstname.lastname@example.org; email@example.com
> > Cc: firstname.lastname@example.org; email@example.com
> > Subject: Re: [E-Lang] Irreversible delegation, was: draft statement of
> > consensus
> > Mark M. writes, quoting Hal:
> > > >The question is one of irrevocable delegation. If Bob has
> > a capability
> > > >to access [the Power] in certain ways, can he transfer it
> > to [Mallet] in such a
> > > >way that he is guaranteed not to be able to interfere with
> > it in the
> > > >future.
> > >
> > > This is sort-of the question, but you have the parity
> > flipped. Everyone
> > > agrees that, under normal circumstances, a capability
> > system enables Bob to
> > > engage in an irrevocable transfer. The rest of your
> > message assumes this is
> > > good, as it normally is. The question is: Can Alice
> > arrange to give Bob the
> > > power in some special way, so as to prevent Bob for
> > delegating it to Mallet
> > > irrevocably?
> > I see. I'm sorry, I had the issue backwards. It isn't whether
> > irrevocable delegation is possible, it's whether it can be prevented.
> > We accept that delegation can't be prevented (due to proxying); the
> > question is, can we set things up so that the ONLY way Bob
> > can delegate
> > to Mallet is by proxying for him. ACL systems claim to do so, since
> > they won't let Mallet access Alice directly, so he must have
> > Bob's help
> > for each access. Capability systems can't do so since Bob
> > can just hand
> > Mallet any capability he has.
> > I agree that I can't come up with any plausible situations where this
> > is a useful power.
> > Hal
> > _______________________________________________
> > e-lang mailing list
> > firstname.lastname@example.org
> > http://www.eros-os.org/mailman/listinfo/e-lang