Thoughts on droplets

Dan Bornstein danfuzz@milk.com
Tue, 2 Nov 1999 15:00:41 -0800 (PST)


shapj@us.ibm.com writes:
>> That was the obvious answer. But how do you protect the private key from
>> abuse?
>
>That's what the tamper-proof hardware is for.  I'm missing something.

Maybe I'm now stating the obvious but it sounds like there are two
distinct problems with not-completely-overlapping solutions:

1. Given a set of trusted hardware controlled by trusted people, how
can you link that hardware up over insecure networks to create a trusted
distributed virtual machine?

2. Given a set of (initially) untrusted hardware controlled by (initially)
untrusted people, how can you link *your* trusted (by you) hardware up to
that untrusted hardware such that you can successfully and selectively
build trust and communicate securely.

Jonathan seems to be talking about problem #1, but I think Droplets and E
are more about solving problem #2. Both problems are interesting and worth
solving. In particular, having a solution for #1 doesn't obviate the need
for solving #2 since it's impractical (in today's world) to believe that
everyone you wish to communicate with is trustworthy and is furthermore
running all their software on a trusted-hardware base that is
programatically verifiable.

Now I have to ask, am *I* missing something?