[E-Lang] Hash Chaining & Capabilities, Proposal #2d: Deputizi
ng Remote Vats
Tue, 2 Jan 2001 09:02:26 -0800
A bearer certificate has two properties. Anyone holding it can use it, and
the system has no way of tracking who might be holding it. E-espeak Beta
2.2 keys had the first property, but not the second; e-speak Beta 3.0 SPKI
capabilities have the second property but not the first.
By the way, I don't think the issue of unforgeable certificates is tracking
who has the certificate; it's one of keeping the certificate safe. One way
is crypto, but another is keeping the certificate in the TCB of the resource
it controls and only giving out a handle to it.
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278
> -----Original Message-----
> From: Ben Laurie [mailto:firstname.lastname@example.org]
> Sent: Saturday, December 30, 2000 6:18 AM
> To: Jonathan S. Shapiro
> Cc: Karp, Alan; 'Mark S. Miller'; Bill Frantz; E Language Discussions;
> Nikita Borisov; Adrian Perrig; Dawn Song; David Wagner
> Subject: Re: [E-Lang] Hash Chaining & Capabilities, Proposal #2d:
> Deputizing Remote Vats
> "Jonathan S. Shapiro" wrote:
> > > Which is what a partitioned system does. However, I can't quite
> > > reconcile the idea of a bearer capability with a
> partitioned system. Did
> > > I miss something?
> > Or I did. There is no other kind of capability. I believe
> you may be
> > concerned about the possibility that the software enforcing
> the partition
> > may use the same mechanisms for traceability. This is
> possible, and it's
> > part of why this software must be trusted.
> No, my point is that if the system can enforce capabilities
> (by knowing
> who has them) you don't have to make them unforgeable, but
> that doesn't
> permit the concept of a bearer capability (since the system must not
> know who has them).
> BTW, I guess if you wanted untraceability, you could achieve
> some of it
> by using blinding - I'm not sure how useful this would be, though.
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff