From: Mark Miller <>
Replying To: Jonathan S. Shapiro <>
Date: Sun, 01 Dec 2002 13:27:30 -0800
Subject: Re: [e-lang] Commentary on Wallach's "Extensible Security Architectures for Java"

At 08:47 AM 12/1/2002 Sunday, Jonathan S. Shapiro wrote:
>Ping writes: "communicating conspirators cannot be prevented from
>delgating authority in any system." This is not strictly true. If
>communication occurs over a typed channel, and if authorities are a
>distinguishable type from data, then communicating conspirators *can* be
>prevented from transmitting authorities.

Referring to the diagrams at : 

If there's a bi-directional bit channel between Bob and Mallet,  then Bob 
*cannot* be prevented from delegating his authority over the power to 
Mallet, since he can set up a laundry (or proxy) within himself that accepts 
instructions from Mallet about how to employ the power. shap

If there's only a uni-directional bit channel from Bob to Mallet, then this 
can be prevented,  but this scenario should be classified as a variant of 
confinement, not a variant of communicating conspirators.

AKAIK, imposing a bit-only channel serves only two security purposes: markm  

* It allows someone that can revoke the channel to effectively revoke all 
authority delegated by proxying over the channel.  This is the actual payoff 
from the use of this mechanism in KeySAFE.

* It can prevent delegation of the ability to cause rights amplification:  
Mallet's can-opener won't recognize a bit-channel to a can as a can it 
is willing to open, and Mallet can do nothing to convince it. (Thanks to 
Alan Karp for this point.)

While both of these are important, these aren't what Wallach... mean when 
they talk about preventing delegation.  I believe Ping's criticism remains 
exactly on-target.

Text by me above is hereby placed in the public domain


e-lang mailing list