Thoughts on droplets -- users vs. programs
Wed, 3 Nov 1999 09:32:41 -0800 (PST)
> I reiterate that there is a fundamental flaw in
> Tyler's model; I shall try
> to express it more clearly this time.
> Tyler's model is that the holder of the
> capability is responsible for what
> is done with it. Stated this way the model is
> accurate, but it has no
> useful correspondance to reality, because the
> holder of the capability is
> software rather than a person.
Based on later parts of this email, I believe you mean
untrusted software rather than just software. I think I now
understand your argument to be that both Droplets(TM) and E
cannot be secure as long as the user does not possess a
secure endpoint and data entry terminal. This is true.
I think your argument goes a step to far though. "If" the
user does have a secure endpoint, then both the
Droplets(TM) and E models do have a useful correspondence
to reality. I further submit that *all* security models
rely on the user having a secure endpoint/data entry
terminal. For instance, I believe your argument applies
equally well to the security of PGP.
> obeys the intent of the user. Therefore, while
> Tyler's statement is
> correct -- control over the capability is in the
> hands of the holder (i.e.
> the web browser) -- this statement conveys no
> useful intuition about what
> restrictions exist on the transfer or use of the
Well, you work with what you've got. I very much wish that
the web browser were running on EROS, but it's not. So I
make the assumption that the web browser has not been
infiltrated and carry on. Given the current state of the
world, this assumption is very often not a fatal one.
The user can run linux/*BSD and use Droplet(TM)
applications from Navigator. All of this software is open
source, so the user can construct a secure endpoint from
scratch. Whether this secure endpoint remains secure is
probably an open question. *nix is not EROS.
For Windows users, the security of their computer is much
less under their control. Basically, I am relying on the
continued efforts of Microsoft to fend off attackers. Not a
great bulwark, but it's something. There is already a large
amount of money that goes through the browser. Simple
ecommerce via credit cards is already a billion dollar
industry. Several very wealthy entities have a large vested
interest in defending the client browser from attackers.
So, while waiting for a better solution, I'll throw my lot
in with them. Kindly hurry along EROS development.
> For this reason, I am delighted that people
> believe eCommerce can safely be
> done on windows, but somewhat disappointed that
> Tyler believes it.
I never said this. I only said: "Securing the client's TCB
from attackers is outside the scope of the provided
Use windows and hope for the best. Use *nix and be
eternally vigilant. These are your only current options.
It's too bad you stopped working on EROS.
> delight stems from the fact that your average
> bear is smart enough to
> realize that the problem is Windows somewhere
> around the third time his
> online wallet is stolen. My belief is that
> eCommerce is therefore the
> demise of Windows. My disappointmenet comes from
> the fact that the
> community on this list is one of the communities
> from which the next
> generation of OS technology will spring, and I
> would therefore like its
> credibility to be untarnished in the eyes of
> third-party readers.
I haven't seen anyone on this list ever even hint that
Windows is a secure operating system. With Droplets(TM) and
E, we are simply moving forward in the hopes that there
will one day be a secure operating system.
Do You Yahoo!?
Bid and sell for free at http://auctions.yahoo.com