[E-Lang] Hash Chaining & Capabilities, Proposal #2d: Deputizi
ng Remote Vats
Tue, 2 Jan 2001 10:11:24 -0800
> -----Original Message-----
> From: Ben Laurie [mailto:email@example.com]
> Sent: Tuesday, January 02, 2001 9:11 AM
> To: Karp, Alan
> Cc: Jonathan S. Shapiro; 'Mark S. Miller'; Bill Frantz; E Language
> Discussions; Nikita Borisov; Adrian Perrig; Dawn Song; David Wagner
> Subject: Re: [E-Lang] Hash Chaining & Capabilities, Proposal #2d:
> Deputizing Remote Vats
> "Karp, Alan" wrote:
> > A bearer certificate has two properties. Anyone holding it
> can use it, and
> > the system has no way of tracking who might be holding it.
> E-espeak Beta
> > 2.2 keys had the first property, but not the second;
> e-speak Beta 3.0 SPKI
> > capabilities have the second property but not the first.
> > By the way, I don't think the issue of unforgeable
> certificates is tracking
> > who has the certificate;
> That's not what I'm saying - I'm saying you have to either
> track them or
> make them unforgeable.
> > it's one of keeping the certificate safe. One way
> > is crypto, but another is keeping the certificate in the
> TCB of the resource
> > it controls and only giving out a handle to it.
> Then the handle has to either be unforgeable, or trackable, surely?
> "There is no limit to what a man can do or how far he can go if he
> doesn't mind who gets the credit." - Robert Woodruff
Duh. Of course, you're right. What was I thinking? My only excuse is that
e-speak never had to worry about forgeable handles because all references
were handled through core data structures. Although there was no explicit
tracking, the effect is exactly the same. Unforgeable or trackable; those
are the only choices.
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278