Distribute Parse Trees, Not Bytecode
Thu, 24 Jun 1999 08:28:12 -0700
[+] With an AST we can separately hash each node. Modifying a
leaf node leads to recalculating the hashes of its parents, not
the entire tree. This allows us to distribute signed patches
in log(N) instead of N space (i.e. without resending the entire
[+] Using the same technique, we can verify that a machine-readable
tree is simply a human-readable tree with some canonical
node transformations, e.g. the removal of braces and comments.
The signed machine-readable tree is canonical. A human-readable
tree can be verified against this signature. Verifying the integrity
of the comments requires a second signature.
[-] Except for certain core security programs (such as
E itself, or cryptographic code), I'd much rather rely on
a sandbox with simply provable security properties than
hope the code has been sufficiently inspected by eye.
Signed code can imply or be sold with false promises
which distract from the realizable promise of secure
PGP D4B9 8A17 9B90 BDFF 9699 500F 1068 E27F 6E49 C4A2