[cap-talk] Argument for capabilities as data in NLTSS
Karp, Alan H
alan.karp at hp.com
Tue Jul 17 18:50:16 EDT 2007
Shap wrote:
>
> This is what I thought you meant. What you say is true if you
> send that
> capability to an untrusted node. If you do that, you are pretty much
> hosed eight ways from Sunday. The problem with the statement
> taken as a
> design criteria is that it excludes the possibility of
> mutually trusted
> nodes. If the target node is untrusted, the presence of link
> encryption
> is of course irrelevant. But the question I would ask in response to
> this proposition is: "Well why the hell did you send a clear-text
> capability to an untrusted node?"
>
Because I expect some benefit even if I expose myself to some risk.
Trust is not absolute. I'm not "hosed eight ways from Sunday". I'm
only vulnerable to the extent that the capability is actually misused.
The valet parking attendant can indeed steal my car but can't unlock my
safe deposit box. (I know you know this, Jonathan, but I want to make
sure the newcomers to the list don't miss this point.)
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list