[cap-talk] Selling capabilities programming
Jonathan S. Shapiro
shap at eros-os.com
Sun Jul 15 12:56:46 EDT 2007
On Sat, 2007-07-14 at 22:33 +1000, James A. Donald wrote:
> All the diverse file menus should operate by requesting
> one piece of trusted code, which alone has the ability
> to discover what files are available, and construct a
> file handle to one of them.
I disagree.
We spent a good bit of time on this subject designing our secure browser
for DARPA. The conclusion was that (surprisingly) MS has gotten
something right here (in abstract, not in detail).
If you look at something like Word or VC++ in detail, you find that the
application framework is fully generic, and all of the editing goop is
actually plug-ins. This is true of OpenOffice as well. That is: the app
framework is a shell, and the plug-ins are not.
Their interfaces between plug-ins and framework are FAR too rich, and
unnecessarily so, but the basic applicatoin structure is there.
OpenOffice, at least, could be adapted to a more suspicious framework
mindset.
> As for shells, well, we have to get by with one general
> shells and a few deliberately limited special purpose
> shells - a shell must be a powerbox, and we cannot have
> numerous or excessively complex powerboxes.
Technically I agree. Pragmatically: good luck. This is an area where
security will run up against usability, and users will choose usability.
--
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
More information about the cap-talk
mailing list