A Simple Transfer Protocol

Warning: This seems to be an incomplete idea.

Suppose that I want to create a segment filled with data and then send you access to the segment. Keykos does that easily. Suppose that I want to prove to you that I can no longer write nor delete the segment. This seems to require a form of escrow function.

Assume a new kind of object, the transfer box, TB. There is a TBC that creates TBs and vouches for the validity of an extant TB. A TB has one order that returns the single key that it holds and in so doing deletes itself. The invoker of the TB is assured that the returned key is the only key to the object that it denotes. If that key turns out to denote a segment created by and vouched for by a known segment creator, then the invoker knows that the segment will persist. The segment recipient, H, does the following with the received key, b:

Passes b to TBC asking about its validity.
Invokes b to retrieve the segment key S.
Invokes the known trusted segment creator to ensure that S is kept by trusted code.

If TBC and the segment creator were both positive, then the new holder, H, of the segment key knows that the segment will last until H deletes it and hold only data that it now holds, or is written via S that H holds exclusively at this point.

Here is the Scheme code to do the TBC:

(define (TBC x) (let ((x x)) (lambda () (let ((y x)) (set! x '()) y))))

H must be prepared for the TB disappearing after the acknowledgment from TBC, as the originator that invoked TBC to create TB retains access to the TB until after H has invoked the TB. There is a race to invoke the TB if its originator is trying to cheat.

The somewhat more complex problem of where the TB comes from is left as an exercise.

This is a special case of the durability problem.

This is a twist on the patent: Generic transfer of exclusive rights.