Communicating Conspirators Ralph Hartley (hartley@AIC.NRL.Navy.Mil)
Mon, 15 Nov 1999 11:51:21 -0800

[The following correspondence with Ralph Hartley is forwarded with permission. This first message is in reaction to http://www.erights.org/elib/capability/conspire.html . --MarkM]

You are making the logical error of assuming that because your notation can not express a difference that there is no difference.

There are two unstated assumptions that you appear to make.

All communication is two way and continuous.

All powers can be described as the ability to send or receive a message.

The first assumption is the less problematical one. Depending on how it is violated it can result in a great number of different cases which may or may not be describable in terms of capabilities, but it does not change the results of the question you pose.

The other assumption is more important. Consider the following scenario.

Alice wishes to allow Bob, but not Mallet (who is in communication with Bob) to have sex with her. Unfortunately Bob's character may not be as good as she thinks; he could actually be working for Mallet who has designs on Alice.

Clearly the capability model has no way of dealing with, or even properly talking about, this situation. Fortunately ACLs can handle this easily.

I can easily think of numerous (though less graphic) situations where I might want to grant a non-transferable power. This is why the word "Non-transferable" appears in so many contracts. Contrary to common belief, lawyers are not paid to litigate meaningless distinctions (though sometimes they do).

Of course if powers are restricted to consist only of the ability to communicate, then there is no distinction since communication is transitive. But this restriction rules out a vast part, perhaps a majority of things that security is needed for.

Ralph Hartley