Databases Reference
In-Depth Information
Fig. 5.
QCM system
4.4 Distributed Evaluation
As mentioned above, QCM was the first system to incorporate credential re-
trieval into the evaluation engine. (See Figure 5.) Queries that cannot be
solved using locally available credentials are transmitted to other engines be-
longing to principals whose assertions address the query in question. QCM's
credential retriever is designed in such a way that it does not significantly
increase the engine's code size because it shares most of its code with the
evaluator. In the interest of flexibility, the QCM engine has two modes: verify-
only and verify-retrieval. If the calling application chooses verify-only mode,
the credential retrieval feature is disabled. This mode is used, for example, to
check that the credentials returned from a remote query evaluation do indeed
solve the query. In this subsection, we examine several issues that arise in
the context of TM systems like QCM and SD3 in which remote engines are
invoked to answer subqueries.
When one engine queries another, the latter can reply in one of two ways.
Either it can give what QCM calls a
direct reply
, in which the remote engine
provides a table of tuples that satisfy the query, or it can provide a proof,
a partial proof, or just a set of credentials from which the answer can be
deduced. The former are called
extensional answers
and the latter three are
called
intensional answers
, by the designers of SD3. In the case of a direct
reply, the remote engine typically has to construct a new signed credential
containing an assertion (the table) deduced from other credentials. Unlike
when providing answers to another TM engine, answers returned by a TM
engine to the calling application should be extensional [33].
In addition to supporting extensional answers, SD3 also supports several
forms of intentional answers. The server decides which kind of answer to return
to the client. For example, in order to avoid bottlenecks and denial of service
attacks, the designers of SD3 [33] argue that the server should be able to offer
a range of quality of service, corresponding to different forms of answers. In
the top level of service, the server evaluates the query fully, communicating
with other servers as necessary to do so, and returns a direct reply. A medium
service level might return a partial proof along with hints to the client as to
