[E-Lang] defense in depth

[Tyler Close]

David Wagner wrote:
> Tyler Close wrote:
> >I contend that this means that it is possible (even easy) in
> >practise to reach the perfect defense stage for a specific
> authority.
>
> If we accept this premise, yes, I agree it would make
> defense in depth
> unnecessary.  However, I remain unconvinced of the premise.
>
> I'm sure you've heard the phrase: "Extraordinary claims require
> extraordinary evidence."  I'm not very fond of that saying, to be
> honest, but I hope you can see why paranoids like me might
> be skeptical
> about the likelihood of perfection, when security is on the line.

I don't much like platitudes either (not even using them as an excuse
for using them ;)

MarkM's MintMaker presentation does include the evidence you are
asking for. I can't imagine more convincing evidence.

Keep in mind that we're not talking about all-encompasing perfection,
but perfection with respect to a narrowly defined goal. The MintMaker
is small enough that such perfection seems attainable. The goal of a
capability based design is to reduce the overall application into such
narrowly defined problems. We can then be sure that the finished
application does have certain security properties, even if it is
missing some other security properties.

Tyler