Here is one scenario whereby a transfer box can be created by the trusted TBC and an untrusted originator O.
O requests a new TB from TBC passing some segment factory likely to be trusted by those to whom O wishes to supply segments.
After TBC verifies that it has indeed received a factory, TBC invokes the factory supplying a long lived space bank and meter.
This yields a memory key S1.
TBC creates a new red segment node accessing S1 and retains node key to the red segment node.
TBC appoints itself to keep the new segment; it is the second, higher keeper.
TBC returns the segment key, S2, for the new node, to O.
O can write information into the segment.
TBC will probably choose to forward any calls to the lower segment keeper, if that does not destroy the scheme.
If the lower keeper was programmed to return its space bank the upper keeper would disallow that call.
When O is finished with the segment, O sends S2 to his consumer.
S2 is the key b, mentioned in the introduction, that the segment consumer shows to TBC for validation.
When the consumer invokes S2 TBC retrieves S2 from the node, deletes the node and returns S1 to the consumer.
These problems remain:
- TBC must guard aginst being blocked on a slow segment factory,
- Space incentives are wrong; who pays for space O uses?
This is the first application, of which I am aware, of two keepers for the same segment.