Identity et al (was Re: [E-Lang] Authority -- what is its dual?)

Mark S. Miller
Mon, 22 Oct 2001 10:42:15 -0700

Tribble wrote:
>   - in the real world, doing this with signatures is beyond 
>   nightmarish.  Distribution of keys is *exactly* the same problem of 
>   distribution of capabilities.  How do you know that you have the actual 
>   Kellogg key?  How do you get a new one if that one is compromised or 
>   expired?

At 08:41 AM 10/22/2001 Monday, Jonathan A Rees wrote:
>Then let's come up with an idealization with clean semantics that
>captures the right way to do it.  I don't see why this is a tall
>order, since we already have the capability model as an idealization
>of cryptography and/or physical security.  Digital signatures also
>seem perfectly natural to me and should have a simple idealization.  I
>had thought that RA could be used to implement signatures.
>Distribution and recovery are things that can be solved within the
>framework - and if they can't be, my original critique of the
>framework (OO) is strengthened.

Dean, I surprised to hear you say that.  You followed and participated in 
the discussion of the CryptoBrandMaker and LazyCryptoBrandMaker, for which 
the following are the pipermail thread roots.  

(Btw, this shows that pipermail's threading sucks really badly.  As far as I 
can tell, these are actually all part of one thread for which the first 
message is the actual root.  Pipermail's formatting sucks badly too.  If you 
get long lines that scroll off to the right rather than wrapping, do a 
"Save As" and remove the <pre> </pre> tags.)

In any the abstractions described, which can be implemented purely outside 
the kernel, are identical, as far as I can tell, to what JAR is asking for, 
and are indeed not a tall order.  Distribution of keys is indeed exactly the 
same problem as distribution of capabilities, and so is not a problem.  What 
am I missing?