[Forwarded with permission. --MarkM]
Hi Mark --
(1) With a distributed object-based system, distributed garbage collection
becomes difficult. This is perhaps not unique to E, but it is a problem
that you must address. How do you propose to do so?
(2) We went through the MintMaker and CoveredCallOptionMaker is some detail.
It's nice that you can express the desired behavior (and implicit security)
so simply. However, when we tried to figure out what is *really* happening,
it became more difficult.
When one is trying to figure out what messages need to be sent between
various machines (i.e. what the communications efficiency is), and
when one is trying to assess the security implications of breaking into
a single machine (or vat), it becomes important to have a feeling as to
*where* various objects end up residing.
For example, with the MintMaker example, it seems that all purses for the
same mint presumably end up residing on the same machine as the mint.
(I'm not sure if this is right; please straighten me out if it is not.)
This may be advantageous from a security point of view, as the sealer/unsealer
never have to leave that machine. But it is disadvantageous from a communications
point of view, as it means that the solution is really ``centralized'', with
various parties have to communicate back to the central mint machine for each
transaction.
Perhaps such behavior is not required, but it is not obvious within your
system as to how one can reason about or control such important system
aspects as to where each object resides...
(3) Although we didn't discuss it in the reading group, I also had a minor
nit with your comparison with SPKI (page 24 of your paper, first full
paragraph). Delegation within SPKI is certainly enforceable, in that
a reference monitor can check whether or not a given chain of
certificates includes an impermissable delegation. The only thing that is
not enforceable is that you can't prevent someone from giving away their
private keys. This is more than delegation, it is abdication, and
corresponds more closely to the problem you have with loss of a vat key.
(4) One advantage that SPKI has over E is that I can delegate authority
*before* I receive it, whereas in E this is not true. For example, I
can on Monday define that "<mykey> committee" includes "<mykey> Bob", so that
any rights that the committee receives are automatically transferred to
Bob. Then on Wednesday Carl can authorize the committee to read some
document. No further action is required for Bob to be able to
read the document.
Anyway, excellent paper! Feedback on the above (especially (2)), would be appreciated...
Cheers, Ron