[cap-talk] Capabilities and Freedom vs. Safety
toby.murray at comlab.ox.ac.uk
Fri Jul 27 12:11:08 EDT 2007
On Fri, 2007-07-27 at 12:00 -0400, Jonathan S. Shapiro wrote:
> On Fri, 2007-07-27 at 20:56 +1000, James A. Donald wrote:
> > Security must be based on real attacks and real threats,
> > not on "proofs" of security which have little contact
> > with reality external to that proof.
> Crap. Security must *address* real attacks and real threats, but if that
> is the only thing they do then the war of escalation continues
> indefinitely. The only currently credible path to ending the war of
> escalation is to get a formal basis under our security models so that we
> can solidly understand them.
I would also add that formal proofs can, and have, detected flaws that
have lain undetected for decades, thereby greatly improving both our
understanding, and the quality, of security technologies and
implementations. See Gavin Lowe's discovery of a flaw in the
Needham-Schroeder Public Key protocol in the mid 90s by modelling the
thing formally in CSP. That flaw had existed since the protocol was
first published back in the 70s.
> > I doubt that rewriting everything in terms of protected
> > capabilities is a good idea, and I am sure that even if
> > it is a very good idea, as many on this list have
> > plausibly and passionately argued, it is not going to
> > get done.
> Then why are you wasting your time and ours?
I would make a different point. Back in the early 80s, I don't expect
many would have believed there'd be an open and freely available
commodity operating system developed collaboratively by thousands. I
hope to live to see your statement proved wrong.
More information about the cap-talk