Thoughts on droplets -- users vs. programs
Mark S. Miller
Wed, 03 Nov 1999 10:35:17 -0800
At 10:29 AM 11/3/99 , email@example.com wrote:
>Given that the end system may be insecure, it is better to require that
>capability use be within an authenticated session than to rely on encrypted
>transfer of capabilities. The reason has to do with limiting the scope of
>the damage. If a non-authenticated capability is leaked, the recipient
>must know something else to use it. If an authenticated but session-local
>capability is leaked, the temporal scope of the exposure is well defined.
>I believe that capabilities will be transmitted without encryption (perhaps
>mistakenly) with high likelihood. Session based authentication makes it
>significantly harder for me to use a capability that you believe is safe.
If my insecure system has been compromised by a knowledgeable and non-stupid
attacker, the attacker will seek to obtain whatever information I use to
perform this authentication. As far as I can tell, for this argument to
work, it must somehow be harder for such an attacker to obtain my, for
example, private signing key than to obtain the swiss number of one of my
capabilities. Either way this issue resolves, I believe it applies equally
well to Droplets and Pluribus.
Jonathan, can you explain about partitioning?
>Indeed. This is why I am so concerned that the security of the endpoints be
>considered, and why the problem of endpoint security should not (IMHO) be
>dismissed so quickly.
I, likewise, don't believe anyone has been dismissive of endpoint security.
We are all eagerly awaiting the day when it will be practical to run on
EROS, and the yet farther away day when it will be safe to assume that our
customers are as well. However, if I felt I had to wait for these to happen
before capabilities could make the world a safer place for cooperation, I
would be very depressed. Like Tyler, I think distributed capabilities among
insecure platforms will happen first and create the market demand for
systems like EROS. If there is a substantial effect in the other direction
as well, great. Let's both keep pushing on our respective parts of the puzzle.