What Does the 'y' Refer to?
This document defines the properties of a YURL.
The most fundamental primitive of distributed messaging is the sending of a message to a remote site. The message target is determined by an identifier. One site is introduced to another by receiving such an identifier. Fig. 1 demonstrates this concept.
In Fig. 1, Alice introduces Carol to Bob. The arrows represent identifiers and the circles represent sites. The short fat arrow represents a message. The sociologist Mark Granovetter originally developed diagrams of this type to illustrate how the topology of interpersonal relationships changes over time, as people introduce acquaintances to one another. [Granovetter]
Granovetter diagrams are a powerful tool for understanding how distributed messaging networks evolve. [Ode] For example, Fig. 1 is also an accurate depiction of the use of OIDs in CORBA, the use of channels in the pi-calculus, and the use of URLs in the WWW. The Granovetter diagram is applicable to any messaging network in which sites lack omniscience.
The Granovetter diagram shows that in the absence of omniscience, a site's connection to a target site is determined by the site that performed the introduction. For example, in Fig. 1, Bob becomes connected to Carol because Alice introduced Carol to Bob. If Alice had instead introduced Dave to Bob, Bob would be connected to Dave instead of Carol. Since Alice decides which identifier to send to Bob, Alice determines what identifier Bob will use when sending messages. Alice determines the target of messages sent by Bob.
This fundamental property of introduction is highlighted in Fig. 1 by the two bold arrows that form a 'y' shape. A YURL is an identifier that allows Bob to rely on this y-property of introduction not being violated. Bob can then be confident that his messages are only delivered to the target that Alice specified.
As a concrete example of the importance of the y-property, consider the case where Alice is a bank, Bob is a customer and Carol is Bob's bank account.
Enforcing the y-property depends on the features of the identifier for the introduced site. In Fig. 1, this identifier is the short bold arrow, pointing to Carol. To enforce the y-property, the identifier MUST provide enough information to: locate the target site; authenticate the target site; and, if required, establish a private communication channel with the target site. A URL that meets these requirements is a YURL.
Briefly stated, the y-property is: "The introducer determines the message target."
The y-property means that only the introducer has the privilege of determining the recipient of a message sent to the introduced site and the processor of the sent message. The introducer is the site authorized to write to a communication channel read by a client site. The introducer uses the communication channel to provide an identifier to the client site. The identifier identifies the introduced site. The introduced site is a site selected by the introducer. The client site is the site that receives the identifier and uses it to send a message to the introduced site. Receiving a message means having access to the plaintext of the message. Processing a message means producing a response message which the client site will accept as an authentic response to the sent message.
The y-property is the result of applying the principle of least privilege to the fact that the introducer decides which site to introduce.
The term YURL refers to a subset of URL. Like a URL, a YURL MUST provide the information required to open a communication channel to the target site. The YURL may locate the target site by directly giving its network location or by specifying a locating service which can ascertain the target site's current network location. The use of a locating service is encouraged.
A YURL MUST provide all the information required to authenticate the target site. Authentication of the
target site MUST ONLY rely on information contained in the YURL. If any outside information were
used for authentication, the creator of that information would have power to determine the target
of sent messages, violating the y-property. In particular, any URL scheme that depends on the PKI for
authentication, such as
The creator of a YURL may wish to be the sole recipient of a message, or may wish that the message be available to unspecified others. The message target may be public to enable caching. If the message target is private, the YURL MUST provide a means to establish a private communication channel with the target site. If a private message is not sent over a private communication channel, an eavesdropper could receive the message, violating the y-property.
The choice of whether a message target is public or private MUST ONLY be made by the creator of the YURL. A decision to not use a private communication channel MUST ONLY be made based on information contained in the YURL, or obtained from the authenticated target site.Adversary motivation:
The adversary is trying to violate the y-property.Adversary capabilities:
All sites are located on a public network. The adversary can intercept and modify any packet after it has left a site.
[Granovetter] M. Granovetter; "The Strength of Weak Ties"; American Journal of Sociology Vol. 78, pp.1360-1380; 1973
Copyright 2002 - 2003 Waterken Inc. All rights reserved.