[cap-talk] network level designation and authorization

[Stiegler, Marc D]

> i understand the aversion to VPNs in their traditional form, 
> and the historical reasons for this distance. but the concept 
> of authenticated and private communication between entities 
> seems fundamental.  when moving POLA out of a single system 
> (Polaris/etc) what do you suggest for communication privacy? 

I recommend granovetter protocols, including captp, httpsy, and the
simple url-based YURLs currently used in Tyler's CapWiki.

You are correct, authenticated and private communication is essential. I
see VPNs having little to do with that, actually. I have much less
reason to be confident I am talking to Joe if Joe and I are instant
messaging over a VPN through a firewall, than if Joe and I are instant
messaging with, for example the captp-based Echat program that goes peer
to peer. The reason I am not confident using the vpn is that Alice, who
is also behind the firewall through which the vpn tunnels, is sniffing
all our traffic unencrypted. The fun she can have!
 
> this is where i see VPN's playing a helpful role (since they 
> provide the authentication and privacy for communication 
> "underneath" applications and operating systems rather than 
> forcing them to kludge such crypto bits into every service 
> and host which expects privacy)

This is a matter of using the right tools. Do you consider applications
that open their own network sockets to be "kludging" such communication
functionality? In both the E language (using captp) and the Waterken web
server (using webkeys), all the crypto is as invisible to the developer
as would be an external VPN. Indeed, both these systems wrap the
comm+crypto at such a powerful high level you'll never want to go back
to using sockets again, forget the advantages of the crypto, it is just
easier and faster for development.

--marcs