UP

There are: boxes, box creators and a box creator creator.

The box and the box creator each has a key called its seal. The box also has a bank and two keys called the object and a contract keys. Some boxes are locked. The contract is a memory key to a segment describing some agreement. The box is {also} a segment. As a segment the box may or may not be .fixed (in which case the segment is read-only and the contents will not change). The material required to form the segment is acquired only upon storing into the segment.

Calls on the box creator creator (BCC)

BCC(0;PSB==>c;BC) Creates a new box creator to which BC is the only key. Its seal is different from that of any other box creator.

BCC(kt;==>X'7FE54EF4')

Calls on the box creator (BC)

If oc=0 or oc=1 then BC(oc;PSB==>0,B) Creates a box to which B is the only key. The object and contract keys are DK(0). Its seal is that of BC. If oc is 0 then B will be unlocked. If oc is 1 then B will be locked. B is not .fixed and as a segment is all zero.

If 2 <= oc <= 3 then BC(oc,((6,S));SB,B==>c;NB) creates a new box from SB with the same seal, object and contract keys as box B. B must be .fixed. NB is locked just if B is. If oc is 2 then NB will define no valid addresses as a segment {the information in B's segment is not duplicated}. The information in B's segment is duplicated if oc is 3. NB does not depend on the continued existence of B but it does continue to depend on BC. S is a 6 byte limit of the number of pages to be used to copy the segment portion.

C = 0 and NB is the new box.

C = 1 and B is not a box and NB is DK(0).

C = 2 and B is not .fixed and NB is DK(0).

C = 3 and NB is DK(0) and SB did not provide enough material.

C = 4 and NB is the new box but the limit S does not suffice to copy the segment portion.

BC(kt+4;==>) deletes BC and makes all boxes created by BC useless.

BC(kt;==>X'7FE54EF5')

Operations on the box (B)

B(0;O==>c;) makes O the object key of B if B isn't .fixed. If B was .fixed, c = 1 and B is not changed.

B(1;C==>c;) makes C the contract key of B if B isn't .fixed. If B was .fixed, c = 1 and B is not changed.

B(2;B1==>c;C,O) returns the contract key C from B. If B1 is a box and its seal is the same as B's then c=0. If B1 is a box with a different seal then c=1. O is returned in either case. If B1 isn't a box then c=2. If B is locked then O is DK(0) and otherwise O is the object key of the box.

B(3;TK==>c) returns 0 in c if key TK is the object key of B and returns 1 otherwise.

B(4;==>) Fix B. After this operation B is .fixed. (It is OK if B was already .fixed.)

B may be stored into (as a segment) when it is not .fixed. B's bank will provide the material.

B(kt+4;==>) deletes B.

B(kt;==>X'7FE54EF6')

Use of the Box

Commitment

Suppose that a person wishes to commit himself regarding some object.

An example is that he may wish to warrant that some domain will always be prompt.

He presumably holds the only key to some box creator and that fact is publicly known.

He selects a segment holding a suitable contract.

For example it might say: This start key is prompt.

From his own box creator, he creates a new box with the read-only memory key to the contract segment and the start key to the object.

He may then pass the key to the box to whom ever he wishes his commitment to be known, say X.

X may now use order code 1 on a box previously acquired from L to ascertain that the commitment is indeed from L. He may also extract from the box the key to the contract and read it. If X holds a key that he supposes is the object key of the box he may use order code 2 on the box to verify this.

If X wishes to guard against L destroying the box, X may use order code 1 on the box to produce another box like the first but beyond the reach of L.

An interesting application of the box is to provide assurance that the contract segment is sufficiently durable. This can be done by the availability of boxes from a third party's box creator asserting that the memory key herein designates a durable segment.

Key Identification

The box can be used to identify a key to someone without giving him the key. Suppose that we wanted to define an operation on a VDK that queried whether a given switcher key SW was the switcher of the VDK without yielding the authority of SW to the VDK. The method is to pass a sealed box to VDK with SW as the key in the box.

Design Issues

Data in the box

We seem to need something like the box but which holds some data. Such a thing would be ideal to send as mail. It could be transferred {or copied} depending on the resolution of the issue described at (scam)) to the recipient's bank.

An approach is to put such data in a segment constructed solely with node keys as segmode keys. This supports the transfer of material from one spacebank to another with bank order codes 2 and 18 thus obviating the construction of a new object.

A neater approach is to make the object itself a segment since I was beginning to imagine that the object would be implemented with a red segment node.

The issue of copying vs. transferring the box between boxes is also involved with the issue of mail to multiple recipients.

It would be appropriate to share the original made by the originator and delete the original when all recipients agreed. The problem of managing this agreement is a famous problem for which I know no obvious policy.

The only obvious course is to provide for making a real copy under another bank even if we do have the bank transfer function.

Deletion upon copy,

Include spacebank spec