On Fri, Jul 14, 2023 at 10:25 PM Alan Karp <
alan...@gmail.com> wrote:
>
> Sorry for the delay in replying. I had to find the time to grok what you were saying.
>
> Yes, it's possible to confuse a deputy with capabilities. Christine Weber demonstrated one with sealed boxes. The error is picking whatever unsealer you have rather than one specific to the box.
>
> My concern with the UCAN approach is more basic. For example, the spec never says that the URI must match the resource designation in the Authorization. That wouldn't be a problem except that they allow wildcard capabilities. I've argued that those certificates are fine for delegation but must not be accepted in an invocation, something else omitted from the spec.
>
> Then there's the problem of multiple arguments. I don't believe there's a problem if there's a 1-1 mapping between arguments and authorization certificates, but what if the same resource is designated for multiple arguments? These more complex patterns aren't covered by the UCAN use cases or the invocation spec.
>
Ouch, only looking at those invocation docs, I wasn't aware of
wildcard capabilities... I was assuming a 1-1 mapping as above, and I
agree that it makes all problems worse...
I still really don't like there being a 1:many mapping between
capability and authorization... even with a 1:1 mapping between
invocation target and authorization certificates.
There are a few things which still bother me even though without wildcards,
in a unforgeable capability something like: `Cap(unique_addr,
rights)`... the value `(unqiue_addr, Cap(unique_addr, rights))` it is
possible that a capability can be "no more powerful" than the former.
This is not the case here where we have `UCan-cap([unique_addrs,
...])`, but which can now be invoked if you have `(unique_addr,
UCan-cap([unique_addrs, ...]) where unique_addr exists in
unique_addrs` becomes invokable....
The entire fact that a capability can now present multiple
authorizations makes me worry/wonder if it doesn't expand the number
of individuals who need to be concerned about rights amplification.
I'm not certain what that would actually look like but it seems like
it could perhaps be an issue if there are multiple sources of
authorization in the capability.
anyhow this all seems far too fancy for simple me, but such issues are
probably par for the course with distributed systems. Either way i
feel like "stick all the authorizations in a bucket", leaves
ample opportunity to ignore rights amplification issues...
> My argument is that the spec should simply use the authorization certificate to designate the resource instead of a URL. I believe that will remove any ambiguity.
certainly no love for URLs which never seem any less problematic than
file names...
> To view this discussion on the web visit
https://groups.google.com/d/msgid/cap-talk/CANpA1Z0rzDYjHzay1wMzjzQPOGHb8Rv55mWfQKWzFxHb5XDkdw%40mail.gmail.com.