Re: Thoughts on droplets Dan Bornstein (danfuzz@milk.com)
Tue, 2 Nov 1999 15:00:41 -0800 (PST)

shapj@us.ibm.com writes:
>> That was the obvious answer. But how do you protect the private key from
>> abuse?
>
>That's what the tamper-proof hardware is for. I'm missing something.

Maybe I'm now stating the obvious but it sounds like there are two distinct problems with not-completely-overlapping solutions:

  1. Given a set of trusted hardware controlled by trusted people, how can you link that hardware up over insecure networks to create a trusted distributed virtual machine?
  2. Given a set of (initially) untrusted hardware controlled by (initially) untrusted people, how can you link *your* trusted (by you) hardware up to that untrusted hardware such that you can successfully and selectively build trust and communicate securely.

Jonathan seems to be talking about problem #1, but I think Droplets and E are more about solving problem #2. Both problems are interesting and worth solving. In particular, having a solution for #1 doesn't obviate the need for solving #2 since it's impractical (in today's world) to believe that everyone you wish to communicate with is trustworthy and is furthermore running all their software on a trusted-hardware base that is programatically verifiable.

Now I have to ask, am *I* missing something?