The presentation fails to say how authentication fits in with the crypto and I think this must be carefully specified for a strong system.

Public key crypto provides a global concept of identity: Choose a key pair and distribute the public key and no one else can claim your identity so long as you conceal your private key. With symmetric keys identity is a pairwise arrangement. I may have an adequate handle on who you are but I cannot Identify you securely to John so that John can compare my designation of you with some other designation of you. Furthermore John can do this comparison off line — he need not consult the two candidates to see if they are the same, even if there such a feasible protocol. You can compare public keys from different sources. I see no symmetric key analog. In the scenario of the presentation, if B is given access to C by both A and D, can B determine that these to versions of C are indeed the same entity?

It is not clear that it is necessary to solve this problem but its lack of solution prevents me from using familiar system patterns.

The section titled “Refinement” attempts to fix some of these points, at the expense of clarity, I fear.


Here are some modifications to sharpen some issues of trust. We assume that A, B and C are general software platforms that host objects that relate to each other via capabilities. Each communications link between a pair of platforms is a symmetric link as described above and is divided into a number of channels, capabilities to which are owned by various objects on the platforms terminating the links. These channels are numbered by a numbering plan private to the link. Traffic on the link is associated with a particular channel by this number.