Thoughts on droplets
Mon, 1 Nov 1999 21:30:50 -0800 (PST)
> Therefore, I believe that MarkM's claim is
> flawed. The flaw lies in the
> presuption that no software can be trusted, and
> that if it could there is
> no means to assure that the software is running
> on real hardware.
I think it is highly probable that there is no means to
assure that an outside TCB can be trusted. Currently, all
attempts to achieve this are based on secret hardware. This
means entering into Cold War like competition to have more
advanced and better deployed technology than potential
attackers. If we build ecommerce upon such a platform, then
attackers will have a large incentive to have superior
technology and search for lags in the deployment.
Using trusted external TCBs also does not set the right
design tone for application developers. Surely you do not
advocate applications being designed with 'secret' keys.
Having this inconsistency at the root of the world will
encourage propagation of this inconsistency.
Norm, Mark, Dean, and others have done a remarkable job of
theorizing a highly functional and performant platform that
does not require trusted, external TCBs. I think this
platform is more than sufficient for ecommerce. Given this
belief, pursuing technology that requires trusted external
TCBs is wasted effort and a degradation of the
security/functionality of the platform.
Worse than wasted effort, a trusted external TCB platform
might create a monopoly like the current Verisign PKI
monopoly. This seems completely unacceptable to me. Since
it is also completely avoidable, the path seems clear.
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com