Thoughts on droplets
Tue, 2 Nov 1999 10:15:50 -0500

> I think it is highly probable that there is no means to
>assure that an outside TCB can be trusted. Currently, all
>attempts to achieve this are based on secret hardware.

Nonsense. straightforward cryptography.  This is not the same as secret
hardware -- the security rests in the mathematics, not in some undisclosed
property of the hardware.

>Using trusted external TCBs also does not set the right
>design tone for application developers. Surely you do not
>advocate applications being designed with 'secret' keys.

Indeed not.  I advocate a design in which there is a minimal amount of
trusted software that provides the necessary security guarantees to the
rest of the applications.  This, in principle, is no different from what is
true in E.  Or do you mean to suggest that E has no security kernel?

Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 7595