ping: A little while ago i took a security course from David Wagner in which we did weekly readings and summaries.
     tyler: I like it. Maybe we should put together a sort of "Hall of Shame", where criticism of ACL papers is indexed.
         ping: That's a great idea.
             danfuzz: Yes.
         ping: I notice that is available -- but if you have a better name in mind, let's hear it.
             danfuzz: I'd suggest a page sitting directly on one of the pre-existing capability-friendly sites, such as or
 ping: Upon looking back at it i think to myself, "Oh my! Those comments were pretty harshly worded." But perhaps you will find it interesting.
     chip: Harsh but pretty much on the mark.
     tyler: Heh.
     shap: While I love Ping's enthusiasm, several key statements on that web page are more enthusiastic than accurate. Some observations.
     shap: Speaking for myself, I would argue that the paper has a more fundamental flaw.
         markm: I don't remember any math in the Wallach paper.
             shap: I am indeed! Thank you for the correction.
                 ping: Okay,
         zooko: Your criticism is quite apt, Jonathan.
         zooko: At the time I wasn't familiar enough with the paper to effectively bring the contradictions to Dr. Michell's attention.
             marcs: Zooko, does it make any sense for you to email Dr. Mitchell and bring him up to date on the discussion that has taken place on this thread?
                 shap: Drew Dean, however, certainly knew better all along. The paper's claims are negligent.
     shap: Ping writes: "communicating conspirators cannot be prevented from delgating authority in any system." This is not strictly true.
         markm: Referring to the diagrams at :
         markm: AKAIK, imposing a bit-only channel serves only two security purposes:
             markm: I meant to say "imposing a bidirectional bit-only channel ..."
         markm: If there's a bi-directional bit channel between Bob and Mallet,
             shap: True, but not relevant. The question was can bob transfer authority, not can bob perform a de facto delegation of authority.
                 chris: Jonathan: read Ping's words again. He said "communicating conspirators cannot be prevented from delegating authority in any system".
                     shap: Thank you for the correction.
                         daw: For what it's worth, I read Ping's words the same way Chris did. Maybe this was too ambiguous.
                             shap: I agree that Ping's point was sound, and I wasn't trying to undermine his conclusion.
                     shap: Ping: My apologies if I misread you. Just so we all understand, which way did you mean?
                         ping: I did intend the meaning Chris is thinking of: that is, if A can send messages to B,
                         ping: I guess i don't really understand why any other definition is necessary.
                             zooko: For one thing, a capability is around 20 bytes, and a copy of the object being accessed might be any size: kilobytes, megabytes, gigabytes, terabytes...
                             ben: One obvious difference is that if you break the channel between A and B, then in one case A can no longer exercise B's authority,