wire

A Layering for Distributed Capabilities

Warning: Computer Science

I assume here a wire with these properties:

A wire has two fixed ends.
A wire carries bits in each direction.
The ends are each accessible within a capability system via a capability.

I think it goes without saying that the same bits come out one end that go into the other. Some wires are secret and others are not. The secret wire delivers bits only to the other end. (This is computer science and whether wires exist is not in scope!)

It is possible to write a capability constrained program T two instances of which on cap systems hold wire capabilities to the respective ends of a secret wire and thereby provide an illusion of distributed capabilities over the combined systems as one system. This extended cap system does not impact the previous cap systems or the assurances they provide. Proposed terminology: T relies on unforgeability of bits on the wire, but not unguessability.

A theorem is that tenants of either of these systems that do not rely on this new facility are not at risk to bugs therein.

If the wire is not secret then the integrity of plans that rely on the wire is maintained, but execution secrecy for those plans is not.

T requires efficient synergy. Keykos provides synergy with brands and the KID.

If the systems provide eq? (comparison of capabilities for equality) for general use, then so may the illusory world. This is broken when there are two wires between one pair of systems. The graph of wires needs to be acyclic for eq? to survive. eq? retains some of its useful properties. T can be modified to recognize products of other instances of T and preserve eq? in cyclic networks.

T can be modified to shorten paths of messages that travel over several wires.

Given two capability systems B and C, a wire between them and two instances of T connected to the ends, there is a new capability system B∪C. ∪ is commutative, associative and idempotent: B∪C = C∪B and A∪(B∪C) = (A∪B)∪C and A∪A = A. There is gold to be found in an adequate definition of the equivalence relation ‘=’ above. Graph theory is needed.

end of Computer Science

Can wires be built?

They can be installed like PCIe wires within the confines of a few inches.

It is hard but wires can be built with crypto and access to untrusted networks if those networks deliver enough good data frequently enough. The crypto can be done by ordinary code in the cap systems. Precautions beyond those of Keykos may be necessary.

I ignore here a necessary part of the problem of how wires are introduced.

Adjacent terminals to respective cap platforms, wired together, can form a wire.

Confusion

If we rely on a wire, and that wire relies on secrets, then are we relying on secrets. “To rely on” has been taken as a transitive relation. I need “rely” with that meaning. There is a clash then as to whether we say that T relies on secrets. T’s internal logic does not employ secrets. Do we need a new word? Will anyone use our new word? I propose:

T does not employ secrets.
Some configurations of T rely on secrets.

The core of these ideas appeared in Jed Donnelley’s paper spelled out in much more detail.

We speculate on some logic for T that works in Keykos here.

Here is an entirely different protocol which, while more complex, solves a bigger problem. It assumes a network which can be relied upon to move enough bits soon enough to the right place, frequently enough. I think that Internet fits their requirements and that the protocol is sound. It also addresses failures and restarts of capability systems which the wire protocol ignores.