Thoughts on droplets -- users vs. programs

Tyler Close
Wed, 3 Nov 1999 09:32:41 -0800 (PST)

shapj wrote:
> I reiterate that there is a fundamental flaw in 
> Tyler's model; I shall try
> to express it more clearly this time.
> Tyler's model is that the holder of the 
> capability is responsible for what
> is done with it.  Stated this way the model is 
> accurate, but it has no
> useful correspondance to reality, because the 
> holder of the capability is
> software rather than a person.

Based on later parts of this email, I believe you mean
untrusted software rather than just software. I think I now
understand your argument to be that both Droplets(TM) and E
cannot be secure as long as the user does not possess a
secure endpoint and data entry terminal. This is true.

I think your argument goes a step to far though. "If" the
user does have a secure endpoint, then both the
Droplets(TM) and E models do have a useful correspondence
to reality. I further submit that *all* security models
rely on the user having a secure endpoint/data entry
terminal. For instance, I believe your argument applies
equally well to the security of PGP.

> obeys the intent of the user.  Therefore, while 
> Tyler's statement is
> correct -- control over the capability is in the 
> hands of the holder (i.e.
> the web browser) -- this statement conveys no 
> useful intuition about what
> restrictions exist on the transfer or use of the 
> capability.

Well, you work with what you've got. I very much wish that
the web browser were running on EROS, but it's not. So I
make the assumption that the web browser has not been
infiltrated and carry on. Given the current state of the
world, this assumption is very often not a fatal one. 

The user can run linux/*BSD and use Droplet(TM)
applications from Navigator. All of this software is open
source, so the user can construct a secure endpoint from
scratch. Whether this secure endpoint remains secure is
probably an open question. *nix is not EROS.

For Windows users, the security of their computer is much
less under their control. Basically, I am relying on the
continued efforts of Microsoft to fend off attackers. Not a
great bulwark, but it's something. There is already a large
amount of money that goes through the browser. Simple
ecommerce via credit cards is already a billion dollar
industry. Several very wealthy entities have a large vested
interest in defending the client browser from attackers.
So, while waiting for a better solution, I'll throw my lot
in with them. Kindly hurry along EROS development.

> For this reason, I am delighted that people 
> believe eCommerce can safely be
> done on windows, but somewhat disappointed that 
> Tyler believes it.

I never said this. I only said: "Securing the client's TCB
from attackers is outside the scope of the provided

Use windows and hope for the best. Use *nix and be
eternally vigilant. These are your only current options.
It's too bad you stopped working on EROS.

> My
> delight stems from the fact that your average 
> bear is smart enough to
> realize that the problem is Windows somewhere 
> around the third time his
> online wallet is stolen.  My belief is that 
> eCommerce is therefore the
> demise of Windows.  My disappointmenet comes from 
> the fact that the
> community on this list is one of the communities 
> from which the next
> generation of OS technology will spring, and I 
> would therefore like its
> credibility to be untarnished in the eyes of 
> third-party readers.

I haven't seen anyone on this list ever even hint that
Windows is a secure operating system. With Droplets(TM) and
E, we are simply moving forward in the hopes that there
will one day be a secure operating system.


Do You Yahoo!?
Bid and sell for free at