At 11:45 AM 11/23/99 , Ralph Hartley wrote:
>Suppose before Alice gives Bob a power, she insists that bob let her
>examine his source code, and verifies that no information Bob receives
>from Mallet can ever affect Bob's use of the power. This example
>violates your other assumption ...
This example does indeed violate an assumption -- the assumption that is the whole premise of the thread. This thread is named "Communicating Conspirators" specifically in reaction to http://www.erights.org/elib/capability/conspire.html rather than http://www.erights.org/elib/capability/confinement.html . Ralph, the claim I took you to be challenging is the claim on the first of these links -- that *if* Alice is not in a position to confine Bob, or be assured that Bob is confined, *then* she cannot prevent Bob from further delegating this power to Mallet. On the second link we concede -- indeed we proudly proclaim -- that if Bob can be confined to Alice's satisfaction, then Alice can indeed be confident that Bob cannot delegate the power to Mallet. Your example above is a means of implementing confinement. It is actually fairly close to the "auditor" technique E uses for confinement.
We further claim http://www.erights.org/elib/capability/dist-confine.html that there are severe limitation on the conditions under which Alice can obtain confidence of Bob's confinement. I suspect that this may be where the substantive disagreement lies.
In any case, I hope you are correct that our claims may be narrow enough to be correct. I would not have it otherwise. Let us stay on track wrt what narrow claims we are making that you are trying to refute.
Cheers,
--MarkM