[E-Lang] ERTP-aware MintMaker
Mark S. Miller
Wed, 14 Feb 2001 19:57:13 -0800
At 06:22 PM Wednesday 2/14/01, Jonathan S. Shapiro wrote:
>I really don't want to rain on MarkM's parade, but I really cannot let
>his note go uncritiqued.
>To say, however, that this is the first time a capability system has
>received serious scrutiny, however, is simply untrue,
Yes, of course it is simply untrue, and it is simply not at all what I said.
Please reread my note. I said it is the first time that it has received
this kind of *open public* review (emphasis added). So you aren't raining
on my parade because what you're disagreeing with ain't what I said.
As to the value of *open public* review, again, if you'll reread the note,
you'll see the main issue I'm raising is shared learning. Security review
behind closed doors cannot not lead us to "come to understand, though a
publicly archived and re-reviewable process, what programming practices,
patterns, and processes lead towards or away from danger."
Your note most directly challenges my "This is the only process that can
ever give real confidence in the security of a system." In fact, I can't
defend this statement as I stated it, because I didn't say whose confidence
I meant. I meant the confidence of those outside the closed doors. An open
public process, even if it is sloppier (which is certainly an interesting
claim worth talking about) is less corruptable.
Remember the behind-closed doors reviews of Clipper? Besides questioning
their quality, people also questioned their honesty. Whether they actually
were honest is besides the point -- it was a valid concern. DES is another
great case -- it now looks like the govt was telling the truth when they
said the S-Boxes were engineered to resist attack, not to provide a trap
door. But as long as the rationale was hidden, we were right to avoid it
like the plague. If I had to choose, I'd take "open public" over "rigorous"
We must apply our style of reasoning about security and trust not just *in*
the process of examining these systems, but *to* the process of examining