An interesting use case

[Alan Karp]

Say that Alice wants to send a capability to Carol via Bob who is not trusted with that permission.  The classic solution is a sealed box where Carol has the key.  What if instead, Bob is a message broker, such as Kafka, and Alice has no idea of which instance of Carol will receive the message?  Complicating factors are that the set of Carols is dynamic and keys may need to be rotated.

--------------
Alan Karp

[Raoul Duke]

Seems like Alice & Carols must rendezvous agreement on a key for the box no matter what? Carols could have an advertised public key? but mais oui the validation of "is that really a Carol, and is that really their key?" is an age old problem no? 

[Alan Karp]

I think I've come up with a way to solve this problem with Identifier Based Encryption.  In order for this to work, Alice must know some verifiable property of the instances, one of which will process her message.  Each of those instances gets a secret IBE key derived from that property.  Alice can generate the corresponding public key from the known property.  She delegates the capability certificate to that key, which any of the instances can use.

--------------
Alan Karp

[Raoul Duke]

couldn't the "identifiable property" of a Carol just be a public key?

[Alan Karp]

I guess it could, but I was thinking it would be more like the functionality.

--------------
Alan Karp

On Tue, Dec 2, 2025 at 6:08 PM Raoul Duke <rao...@gmail.com> wrote:

couldn't the "identifiable property" of a Carol just be a public key?

--
You received this message because you are subscribed to the Google Groups "friam" group.
To unsubscribe from this group and stop receiving emails from it, send an email to friam+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/friam/CAJ7XQb7ANuVcRkL2cg6NmBcum35r%2B8eS5PuLqhfoDdhNvE8bBg%40mail.gmail.com.