Certificate capability system when nodes can't sign

[Alan Karp]

I've been lurking on the Distributed Web Node (DWN) working group meetings.  A DWN is a set of nodes, typically 3, that act as a unit for availability and redundancy.  Actions taken on one node eventually appear on all.

DWN uses digital certificates as capabilities, but the individual nodes don't have private keys.  As a result, they can't create capabilities.  The current version of the spec introduces an ACL that is used when a user creates an object.  Below is my proposal for avoiding the need for the ACL.

------------------

In a conventional capability system, when you create an object, you get back a capability to that object.  In a system like DWN, capabilities are signed certificates.  When a request comes in, the node verifies the delegation chain looking for a certificate signed with its own key at the root of the chain.  Unfortunately, DWN nodes cannot sign.  In the current spec, the identity of the object's creator is used as an index into an ACL for controlling access.  Fortunately, there is a very simple way to remove the need for this second mechanism.

Say that Alice creates an object.  The DWN node, as it does in the ACL scheme, records that Alice is the creator of that object.  When Alice wants to access that object, say to update it, she creates and signs a capability certificate.  When a node receives the request, it verifies the delegation chain looking for a certificate signed by the creator's key at the root of the chain.
--------------------------

What did I get wrong?

--------------
Alan Karp