[E-Lang] Hash Chaining & Capabilities, Proposal #2d: Deputizi ng Remote Vats

Karp, Alan alan_karp@hp.com
Tue, 2 Jan 2001 09:02:26 -0800


A bearer certificate has two properties.  Anyone holding it can use it, and
the system has no way of tracking who might be holding it.  E-espeak Beta
2.2 keys had the first property, but not the second; e-speak Beta 3.0 SPKI
capabilities have the second property but not the first.

By the way, I don't think the issue of unforgeable certificates is tracking
who has the certificate; it's one of keeping the certificate safe.  One way
is crypto, but another is keeping the certificate in the TCB of the resource
it controls and only giving out a handle to it.

_________________________
Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278
 

> -----Original Message-----
> From: Ben Laurie [mailto:ben@algroup.co.uk]
> Sent: Saturday, December 30, 2000 6:18 AM
> To: Jonathan S. Shapiro
> Cc: Karp, Alan; 'Mark S. Miller'; Bill Frantz; E Language Discussions;
> Nikita Borisov; Adrian Perrig; Dawn Song; David Wagner
> Subject: Re: [E-Lang] Hash Chaining & Capabilities, Proposal #2d:
> Deputizing Remote Vats
> 
> 
> "Jonathan S. Shapiro" wrote:
> > 
> > > Which is what a partitioned system does. However, I can't quite
> > > reconcile the idea of a bearer capability with a 
> partitioned system. Did
> > > I miss something?
> > 
> > Or I did. There is no other kind of capability.  I believe 
> you may be
> > concerned about the possibility that the software enforcing 
> the partition
> > may use the same mechanisms for traceability. This is 
> possible, and it's
> > part of why this software must be trusted.
> 
> No, my point is that if the system can enforce capabilities 
> (by knowing
> who has them) you don't have to make them unforgeable, but 
> that doesn't
> permit the concept of a bearer capability (since the system must not
> know who has them).
> 
> BTW, I guess if you wanted untraceability, you could achieve 
> some of it
> by using blinding - I'm not sure how useful this would be, though.
> 
> Cheers,
> 
> Ben.
> 
> --
> http://www.apache-ssl.org/ben.html
> 
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
>