--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z3OUp1xZf%3DWfaFnwNREoh-zy%3DahNZmXG1U-x_R0v%2BZLog%40mail.gmail.com.
Depending on your definitions, I'd say thatdoes offline delegation opaquely, using c-list indexes rather than target identities.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z1TF39pD8nLH_qgPi3Ge6LukQdfc8bUDMpW_ecqzZnbBQ%40mail.gmail.com.
In SPKI and all SPKI-like systems, when Bob accesses Carol, VatB sends to VatC a certificate chain that includes the certificate by which VatA authorized VatB to access Carol. Here, the "extra" message in the certificate chain is a message "from" VatA to VatC telling VatC that VatB is authorized to call Carol. "from" is in scare quotes because VatA doesn't need to send this message to VatC. In the scenario, VatA relays this message to VatC by sending it to VatB to deliver to VatC. VatC does not need to receive this until VatB actually accesses Carol. So VatB can just include this authorization in the overall packet that also contains his accessing Carol. Since the extra message only needs to be understood by VatA and VatC, in a system capable of secrets (pretty much anything except blockchains), that extra message can be encrypted so VatB cannot read it, but would still convey it bundled with his access request.
Also, the certificate cannot be opaque because Alice must know how to construct one.
--
--------------
Alan Karp
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z2fMHnZG6cPDjF3BOFC2JgkDefJT4%2B4C8%2BcWsFRL%3Djr-A%40mail.gmail.com.
It is case. At 32:59 https://youtu.be/7u0yVJjBBek?t=1979 the message on the left labeled "A->C1" is actually carried as extra opaque payload in the packed sent from VatB to VatC, along with the "B1->C1" message that Bob sent to Carol. The curved red line indicates this certificate chain, by which the incoming message on the right includes the incoming message (perhaps confusingly) shown on the left.Also, the certificate cannot be opaque because Alice must know how to construct one.Then I don't understand what opaqueness is at stake. What is opaque to whom?
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z0SM_h%3DdfPBm_WyEsm8uOWY3Px8UfJyBp0c7gQ_kKgk0g%40mail.gmail.com.
What is made opaque? Who is it supposed to be opaque to? What entity in the granovetter introduction is supposed to not know something that the opaqueness would prevent them from knowing? What extra thing would they know in the introduction explained in my talk, if the "A->C1" message were encrypted so VatB cannot read it? If possible, please answer in terms of our standard players, Alice, Bob, Carol, VatA, VatB, and VatC.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z3006OYZD%2BjWjp_JM25JZCbSpOnvsW%2BzHu4kMRNLtEvkQ%40mail.gmail.com.
That's cheating. You've introduced a mutually trusted fourth party, the AS. In a peer-to-peer network of vats, how many ASes are there? Which vat is vulnerable to which AS? What if there is no one AS that VatA, VatB, and VatC mutually trust?
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z3ULHUZAtpLb6GNfm60i-QewHBPWA3WDfVpMx7GNDqF0g%40mail.gmail.com.
I propose that we can, without loss of generality, combine AS-C and RS-C into VatC and consider them as a unit. If we do, then what remaining opacity are they providing, and who is being denied knowledge of what? If it doesn't make a difference in the knowledge of the agents, then it is not a useful opacity.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z2LVn%2BtJCD686ee4JJqYrW6U-1Up%2BNpPSXOC1-JN3tmxQ%40mail.gmail.com.
Clarity, thanks!My protocol (thanks to you!) uses c-list entries, not swiss nums. It is interesting to compare them for opacity. In some ways swiss nums are more opaque. In other ways, c-indexes are.Is this the only real difference in opacity?
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z1iuxzadTTPiO4pB7BOKvvxVbwr3fE6kNNO59FO3pH3%2BA%40mail.gmail.com.
Rather, Tyler's fragments (or swiss numbers) were c-list indexes into a per-hosting-vat clist. CapTP's c-list indexes are indexes into a per connection c-list.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z2X0TE20ogvCJN23m_w-MqAyjbQ9UKj8vfaKUBCTG0qdw%40mail.gmail.com.
Can you explain this property of zcap-ld in terms of our standard players and building on our standard scenario?
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z3DwLcFi6TXMXX3L0yqpbXKuD%2BWbpOxdiROUAHXnxKh8w%40mail.gmail.com.
Does this scenario have attenuation? If not, what is different about it and what question are we asking?
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z0Y53_uHGvBhHqtPpV_TtbrLsb4DrnPNP8S8conpxJWSg%40mail.gmail.com.
Who defines the sublanguage Alice uses to express attenuations of the kind of thing that Carol is?
Alice then writes an attenuation in that sublanguage. Presumably VatC or Carol interpret it?
Btw, thanks for going through this with me. This is exactly what I've needed to translate concepts between the two systems.
since iama visual thinker i hope somebody some day diagrams such things for posterity :-)
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CAJ7XQb4Dn_cOaNReFsCH_O634u-e9M9%2BT1PORsBZpthvNYskyw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z2Sonn%3D5%2BJ_fTt_2sHZvuMTX3Z6fBDdqLqDso8m9%3DZ3Xg%40mail.gmail.com.
Mark S. Miller <ma...@agoric.com> wrote:Who defines the sublanguage Alice uses to express attenuations of the kind of thing that Carol is?That's part of the delegation API. In OAuth, and I presume GNAP, the "scopes" are specified as strings understood by the delegator and the validator of the request.Alice then writes an attenuation in that sublanguage. Presumably VatC or Carol interpret it?VatC.
Btw, thanks for going through this with me. This is exactly what I've needed to translate concepts between the two systems.My pleasure.
--------------
Alan Karp
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z1TyVqSTkJMVdAH4Lv7rbVsojXcpCrvD%2Bz1OmqAsuXpzw%40mail.gmail.com.
No Granovetter diagrams!
Then this attenuation is what Norm Hardy calls a "foreseen facet". If Carol is a file, she may provide a `readOnly()` method for getting read only attenuated access to that file. ThenAlice says:bob <- foo(carol <- readOnly()) // in EorE(bob).foo(E(carol).readOnly()) // in distributed SESAn unforeseen facet is when the author of Carol does not foresee the need for that particular attenuation, so Alice must construct it on her ownbob <- foo(readOnly(carol)) // in EE(bob).foo(readOnly(carol)) // in distributed SESThere was no equivalent of unforeseen attenuation in SPKI-like systems I know. Any exceptions? GNAP?
--
--------------
Alan Karp
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/CANpA1Z2NZ_7SU22njzEF3xA_rVRp%3Du0SwX7P%2Bs8e9bP8Dud%3D3A%40mail.gmail.com.
In practice that's actually easier. Only some combinations make sense. The author of Carol is in the best position to do that abstraction design.
GNAP, which is really OAuth 3, is about to decide to use opaque tokens as capabilities, ala E's sturdy refs, as opposed to non-opaque tokens, such as zcap-ld. The fact that clients don't need to understand the token format is a huge advantage. The downside is that there is no offline delegation; you have to do a token exchange with the issuer.How important is offline delegation?Can you come up with important use cases where there isn't an adequate workaround, such as doing the exchange ahead of time or setting up a facet?
I'm not up to speed on GNAP, but does it supersede the id token and refresh token notions of OAuth2.0/2.1? What about the id token refresh protocol and the client secret?
If not, then I think offline delegation is problematic in two regards. The first is that both the refresh token and the client secret are highly sensitive, and you can't do id token refresh without them. Given the number of ways systems can and do get compromised, I'd be very concerned about a protocol that expanded the exposure of these two tokens by passing them back and forth offline.
--
You received this message because you are subscribed to the Google Groups "cap-talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cap-talk+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/cap-talk/87zgyxw107.fsf%40dustycloud.org.
GNAP, which is really OAuth 3, is about to decide to use opaque tokens as capabilities, ala E's sturdy refs, as opposed to non-opaque tokens, such as zcap-ld. The fact that clients don't need to understand the token format is a huge advantage. The downside is that there is no offline delegation; you have to do a token exchange with the issuer.How important is offline delegation?Can you come up with important use cases where there isn't an adequate workaround, such as doing the exchange ahead of time or setting up a facet?
Are there other advantages to non-opaque tokens? One we know of is the ability to know that the token authorizes what you think it does.--------------
Alan Karp