At 11:32 PM 12/9/99 , email@example.com wrote:
>What if the ACL uses identity which is enforced by a tamper resistant,
>biometric based hardware token which Bob must carry and use as he
>interacts with the system? Then maybe he would be unable to build a
>box holding his power, and give it to Mallet.
Yes, that seems to be correct, given that Bob's TCB is immune from Bob's tampering. It harkens back to Ralph's interesting point (that I'd like to see us return to) that physical device security does have a different nature, and an architecture that took this into account might very well be different than one driven by the traditional purely computational security issues. Has this genuinely interesting question been raised in the context of any other security models? Are there any models that already try to integrate the two worlds?
>Yes, it doesn't seem like it is very useful in itself to prevent
>irrevocable delegation. I think people want to raise the cost of
>delegation in some circumstances, and they think irrevocable delegation
>would be cheaper since it only needs one transaction (supposedly), while
>the revocable "laundry" delegation has ongoing costs. But this would
>depend on the details of the system.
Yes, I have heard others make arguments based on imposing these "costs", and I am also very suspicious of such arguments. As hardware costs drop exponentially, so do these costs, whereas the value of the rights about which we are transacting are often already incommensurably larger than the current hardware-based-cost of delegating.