Thoughts on droplets -- users vs. programs
Wed, 3 Nov 1999 13:29:41 -0500

> I further submit that *all* security models
> rely on the user having a secure endpoint/data entry
> terminal. For instance, I believe your argument applies
> equally well to the security of PGP.

Indeed. This is why I am so concerned that the security of the endpoints be
considered, and why the problem of endpoint security should not (IMHO) be
dismissed so quickly.

I also want to be clear that I think Droplets is good stuff; I'm just
concerned that claims for Droplets security be stated in a way that
acknowledges the endpoint weakness.  The problem is certainly not
particular to droplets.

Now that we have this down, I can go back to the authentication discussion.
Here are my thoughts:

Given that the end system may be insecure, it is better to require that
capability use be within an authenticated session than to rely on encrypted
transfer of capabilities.  The reason has to do with limiting the scope of
the damage.  If a non-authenticated capability is leaked, the recipient
must know something else to use it.  If an authenticated but session-local
capability is leaked, the temporal scope of the exposure is well defined.
I believe that capabilities will be transmitted without encryption (perhaps
mistakenly) with high likelihood.  Session based authentication makes it
significantly harder for me to use a capability that you believe is safe.

Jonathan S. Shapiro, Ph. D.
Research Staff Member
IBM T.J. Watson Research Center
Phone: +1 914 784 7085  (Tieline: 863)
Fax: +1 914 784 7595