[cap-talk] Google Chrome - web browser with sandboxed rendering
Ben Laurie
benl at google.com
Fri Sep 5 05:08:39 CDT 2008
On Fri, Sep 5, 2008 at 11:06 AM, Toby Murray
<toby.murray at comlab.ox.ac.uk> wrote:
> On Fri, 2008-09-05 at 10:52 +0100, Ben Laurie wrote:
>> On Thu, Sep 4, 2008 at 10:39 PM, James A. Donald <jamesd at echeque.com> wrote:
>> > Ben Laurie wrote:
>> >> I agree that the problem of making the security decisions is
>> >> considerably harder than that of enforcing them.
>> >
>> > Hence the powerbox user interface model of piggybacking permission on
>> > designation.
>>
>> This particular assertion is beginning to really bug me. Designation
>> works fine for files, maybe, and for drag'n'drop, even more maybe (are
>> you granting read? write? a communications channel? is it permanent or
>> temporary? etc). But I've yet to see any evidence that it makes any
>> sense at all in the context of, for example, sockets.
>
> That's because sockets are not reified in current user interfaces.
> That's not to suggest that they could not be, however, although it would
> be unconventional. Of course doing so may increase the complexity of the
> mental model that the user now must maintain in order to make safe
> designations.
"may"? Do you seriously think there's any doubt that it will?
> I think that experimenting with alternative desktop interfaces that
> reify entities not currently well represented to the user in order to
> try to make better inferences about security policy would be a useful
> thing to explore. I would like to think that the powerbox "Open File"
> dialog, drag and drop etc. only scratch the surface here and that we are
> limited only by the strong familiarity of current desktop interfaces and
> the metaphors in which they rest.
As I've already said, the surface that has been scratched is already
fraught with ambiguity. Seems to me we have a long way to go.
> This may be wishful thinking however.
> Only experimentation can help answer, I reckon.
Agreed.
>
> Cheers
>
> Toby
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk
>
More information about the cap-talk
mailing list