New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
3rd-party handoff design requirements. #12
Comments
Here is how 3rd party handoff works in E as I understand it: Where we normally speak of Alice giving Bob a reference to Carol, we here speak of the Donor (VatA) giving to the Recipient (VatB) a reference to the Gift (Carol) residing on the Host (VatC). [1] This happens by Donor telling Host over the captp connection between them to wrap up the Gift into a box for Recipient and tag it with a nonce n. This is done by Donor invoking provideFor(Gift, RecipiantVatId, n) on the NonceLocator at the Hosts end and gets a vine v to hold onto. [2] Concurrently/simultaniously/meanwhile Donor informs Recipient of aforesaid Gift by putting a Promise3Desc with Host vatid and nonce n, as an invocation argument in an opDeliver or opDeliverOnly message that bears the eventual send to an object on Recipient that is to recieve the Gift. The Recipient upon comming across that Promise3Desc builds or uses already established captp connection to Host and invokes acceptFrom(DonorVatId, n, v) which gives back a promise to the Gift. [3] Note that in E, a vatid is the cryptographic hash of that vats public key. These diagrams might also help understanding the above. |
As you can see in my previous comment the nonces passed around can be from vats trituplewise counters and are not bearer tokens. (Trituple here is Donor, Host, and Recipiant). As I understand how vatids in E and Agoric work is that, in case of E, the public key of the vat authenticates it at the vattp level (the link layer protocol just underneat captp). |
Since we discussed this last meeting, I thought I'd add the links to the presentation and discussion we had: |
Just found this while browsing github for capnproto stuff: I wonder to what extent it's relevant here. SecretHandshake is used in Secure Scuttlebutt. |
For transport security I've had http://noiseprotocol.org/ in mind, and Kenton has mentioned it in the past too. |
I'd like to explore others' requirements for how 3rd-party handoff works, and find out if there are any unusual requirements. The reason for this is that currently capnp has a sketch of the protocol in
rpc.capnp
, but none of the implementations actually support it yet, so the design is more flexible there. If there are things that can be done in the design phase to improve compatibility with ocapn, it would be good to know about them while we still have the flexibility.Things that come to mind:
The text was updated successfully, but these errors were encountered: