[cap-talk] Wikipedia: Object-capability model - excluding distributed
Jed Donnelley
capability at webstart.com
Tue Jan 9 03:24:12 CST 2007
At 09:45 PM 1/8/2007, John McCabe-Dansted wrote:
>On 1/9/07, Mark S. Miller <markm at cs.jhu.edu> wrote:
> > John McCabe-Dansted wrote:
><snip>
> > If each machine's TCB is relied upon only by the software running on that
> > machine, then the machines themselves, as mutually defensive subjects, know
> > these secret bits, and other machines cannot assume they will not disclose
> > them. This is the standard crypto case. If each machine's TCB is
> relied upon
> > by all the software running on all the machines, then we're back
> to the single
> > multiprocessor with the long backplane.
>
>Do we need to decide? Could we think of the TCB's of other machines as
>something like a membrane that wraps access to all objects running on
>that machine?
>
>If so, the POLA answer to "do we trust the TCB's of other machines" is
>clearly "yes, but no more than we have to".
If I had a bit more time to respond in this area I was going to
say something along the lines of the above, so I'll just add
my agreement to the above.
I also think that the case of the extra terrestrial communication
that might come with public key identities but where "they" could
in fact be collaborating behind the scenes is also relevant to
this case.
I designed the two node vat example with no encryption to exclude
all notion of identity and even to munge all object access at the
two ends of the line just to consider the extreme example. I believe
that it's better to have the separate identities and the separate
capabilities as if on a more general network, even if the potential
existed for the one trusted vat at the other end. It's all just
POLA in my book. If I receive communication from what seem like
separate identities, but behind the scenes they are really intimately
communicating or they're running in an untrusted "vat" or even if
in some sense they're really the same identity, there really
isn't much that I can do about it. That's where Web of trust seems
to me to come in:
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0xB70B7F99
Anybody from cap-talk willing to sign my PGP key (0xB70B7F99)?
I'll be happy to give you a call or otherwise identify myself
in case the above text isn't enough.
It's useful to have the separate identities to allow the possibility
of separation of trust, even if none ends up being justified. By
now some of you do know me from Adam.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list