Suppose Alice wants to tell Bob a secret, but has to do so via an intermediary,
Carol. Alice can hand Carol a capability containing the secret, which has a
method allowing access to the secret, but only if that method is also handed
a second capability. Only Bob and Alice have this second capability. Alternatively,
the second capability can have a method which can unseal the first
one.
Carol can then hand that capability on to Bob, who can then combine it
with the “unsealing” capability to access the data inside.
This may seem like an artificial construction, but consider the case where
Alice and Bob are components of a trusted system, and Carol is untrusted
code running in that system. Combining this idea with the example above, the
capability handed to Carol could also contain data which, when handed to the
trusted HTML renderer, would be made visible to the user, but which Carol
could not herself see. Carol may determine from user actions that this capability
should be used to perform some action on behalf of the user and hand it on to
Bob to do so.
No comments:
Post a Comment