Two Types of Delegation: Strict and Categorical
Does this delegation refer specifically to a specific initial capability, or is it a more open-ended, categorical delegation?
I've had a weird little predicament in my head for a bit now, and I wanted to write it down. I've been doing a lot of work on digital delegation systems, and there's one little architectural distinction that I don't think has gotten enough attention as a capability system design decision.
Both delegation types allow the holder of a capability to share that power with someone else. The difference involves when a delegated capability is then re-delegated: Does this delegation refer specifically to a specific initial capability, or is it a more open-ended, categorical delegation?
The first type we might call "strict delegations": These grant a specific agent a specific power. These are the safest type of delegation. There is a lot to be said about the power of preserving the context and intention behind a delegation, avoiding "context collapse", and only a strict delegation maintains maximum safety.
One example of the difference between these types of delegations could be seen when managing a claims registry. In a claims registry, anyone could make a claim about anyone else. In a delegatable claims registry, a person could also let someone else make claims on their behalf.
In a strict delegation model, whenever you make a claim, you have to be perfectly specific about exactly who you are making this claim on behalf of, and you are only ever updating a single entity's claim registry at a time.
In a categorical delegation model, a delegation from Alice might say "I'd make any claim Bob made about Carol", and then regardless of whether Bob means to update Alice's registry, make a claim on his own behalf, or merely himself vouching for Dave's opinion, any of those choices would impact Alice's claims registry as if Bob had been writing to his registry himself.
This is clearly particularly valuable in an information-propagating system, since we each might want to curate as rich as possible a local view of the world's credible information, but we shouldn't expect an encyclopedia author to have to receive encyclopedia-updating delegations from each subscriber in the world on each topic he writes about.
A categorical delegation can be dangerous in financial situations. A company issuing a departmental budget to an employee would be unhappy if the employee's subscription services began pulling from the company funds as if the subscription approval made no distinction between groups of funds.
Maybe there's an appropriate boundaries synthesis to this seeming dialectic. An account could even be treated as the unit of this boundary: If Alice kept account 1 for personal use and account 2 for business use, then even if she granted categorical delegations from her personal account, she could not drain her business budget with her personal expenses.
Another type of danger from categorical delegations comes from the redeemer potentially cherry-picking which of the user's delegations to deplete. If Alice and Bob both granted Carol an allowance, and Carol gives Dave a categorical allowance to those funds, if Dave can choose whether to drain Alice or Bob's funds, he could choose the one he disliked more. If he coordinated with others in a well-developed network, this kind of selective-redemption attack could be quite potent!
This concern is important to me because I've done some theorizing around something I've come to call Perfect Insurance. Given a well developed network of allowances that is dense enough that there is often an allowance (or "trust line") to be found connecting two apparent strangers with sufficient maximal flow to enable a novel interaction (either insuring a transaction, or ideally even funding new ambitious ventures).
When the density of the network becomes the limit to what kinds of novel activity can happen (including paying for education, medical bills, or other important ventures), it becomes critical to find the way to push the throughput of the network to its limit. That would suggest a place for using categorical delegations, but since it's clear there are such easy ways to misuse them, I suspect we need to develop a strong theory of the risks around them, to ensure we have appropriate safeguards around the possible risks.