[E-Lang] Irreversible delegation, was: draft statement of consensus

Marc Stiegler marcs@skyhunter.com
Thu, 8 Feb 2001 21:39:30 -0700


Since this discussion seems to be taking multiple turns, I will, unless a
miracle occurs, invoke the procedure I spelled out several days ago, and
remove item 2 from the Statement of Consensus which I will be formally
publishing tomorrow. Any resolution on this discussion can be included in a
future Statement.

Uh, the definition of a "miracle" would, I think, be that Alan and Hal both
send me email saying to include item 2 without change. This assumes no one
else jumps into the fray or requests that I remove item 2, in which case
item 2 remains toast :-)

--marcs

----- Original Message -----
From: Karp, Alan <alan_karp@hp.com>
To: <hal@finney.org>; <markm@caplet.com>
Cc: <e-lang@eros.cis.upenn.edu>; <marcs@skyhunter.com>
Sent: Thursday, February 08, 2001 6:15 PM
Subject: RE: [E-Lang] Irreversible delegation, was: draft statement of
consensus


> Isn't rights amplification an issue?  Here I've set up a scenario in
> which one of the conspirators loses any benefit obtained by giving up
> the power irrevocably.  Hence, Alice "prevents" Bob from doing
> irrevocable delegation.  I'd also like to turn the story around, so that
> the conspirator benefits only by giving up the power irrevocably.  That
> should have the same result as Alice requiring Bob to delegate to Mallet
> irrevocably.  Unfortunately, I don't see how to do it.
>
> Bob has the right to the can; Carol has the right to the can opener.
> Bob and Carol never heard of each other.  Bob is willing to proxy for
> Mallet; Carol is willing to proxy for Mallet.  The tuna is safe from all
> three.  Bob gives Mallet the right to the can.  Mallet can ask Carol to
> combine her right to the can opener with his newly obtained right to the
> can.  Now, the three conspirators can make their tuna casserole.  (Side
> question.  Doesn't the SPKI do not delegate bit prevent this misuse?)
>
> Note that Mallet and Carol have no need to invite Bob to the banquet.
> Bob can't revoke the privilege he gave to Mallet, so he has no recourse.
> If there is no honor among thieves, then Bob won't give Mallet the right
> to the can.  Why should Mallet get all the goodies?  (I'm assuming no
> side payments.  Is that fair?)  Alice's tuna is protected because the
> only way that Bob can give Mallet what he needs to get the tuna is to do
> so irrevocably.
>
> Is this reasonable?  Can anyone see how to turn the story around so Bob
> only benefits from irrevocable delegation?
>
> _________________________
> Alan Karp
> Principal Scientist
> Decision Technology Department
> Hewlett-Packard Laboratories MS 1U-2
> 1501 Page Mill Road
> Palo Alto, CA 94304
> (650) 857-3967, fax (650) 857-6278
> https://ecardfile.com/id/Alan_Karp
> http://www.hpl.hp.com/personal/Alan_Karp/
>
>
> > -----Original Message-----
> > From: hal@finney.org [mailto:hal@finney.org]
> > Sent: Thursday, February 08, 2001 2:37 PM
> > To: hal@finney.org; markm@caplet.com
> > Cc: e-lang@eros.cis.upenn.edu; marcs@skyhunter.com
> > Subject: Re: [E-Lang] Irreversible delegation, was: draft statement of
> > consensus
> >
> >
> > Mark M. writes, quoting Hal:
> > > >The question is one of irrevocable delegation.  If Bob has
> > a capability
> > > >to access [the Power] in certain ways, can he transfer it
> > to [Mallet] in such a
> > > >way that he is guaranteed not to be able to interfere with
> > it in the
> > > >future.
> > >
> > > This is sort-of the question, but you have the parity
> > flipped.  Everyone
> > > agrees that, under normal circumstances, a capability
> > system enables Bob to
> > > engage in an irrevocable transfer.  The rest of your
> > message assumes this is
> > > good, as it normally is.  The question is: Can Alice
> > arrange to give Bob the
> > > power in some special way, so as to prevent Bob for
> > delegating it to Mallet
> > > irrevocably?
> >
> > I see.  I'm sorry, I had the issue backwards.  It isn't whether
> > irrevocable delegation is possible, it's whether it can be prevented.
> >
> > We accept that delegation can't be prevented (due to proxying); the
> > question is, can we set things up so that the ONLY way Bob
> > can delegate
> > to Mallet is by proxying for him.  ACL systems claim to do so, since
> > they won't let Mallet access Alice directly, so he must have
> > Bob's help
> > for each access.  Capability systems can't do so since Bob
> > can just hand
> > Mallet any capability he has.
> >
> > I agree that I can't come up with any plausible situations where this
> > is a useful power.
> >
> > Hal
> > _______________________________________________
> > e-lang mailing list
> > e-lang@mail.eros-os.org
> > http://www.eros-os.org/mailman/listinfo/e-lang
> >
>