[E-Lang] ERTP-aware MintMaker

Mark S. Miller markm@caplet.com
Wed, 14 Feb 2001 19:57:13 -0800

At 06:22 PM Wednesday 2/14/01, Jonathan S. Shapiro wrote:
>Mark, all:
>I really don't want to rain on MarkM's parade, but I really cannot let
>his note go uncritiqued.
>To say, however, that this is the first time a capability system has
>received serious scrutiny, however, is simply untrue, 

Yes, of course it is simply untrue, and it is simply not at all what I said. 
Please reread my note.  I said it is the first time that it has received 
this kind of *open public* review (emphasis added).  So you aren't raining 
on my parade because what you're disagreeing with ain't what I said.

As to the value of *open public* review, again, if you'll reread the note, 
you'll see the main issue I'm raising is shared learning.  Security review 
behind closed doors cannot not lead us to "come to understand, though a 
publicly archived and re-reviewable process, what programming practices, 
patterns, and processes lead towards or away from danger."

Your note most directly challenges my "This is the only process that can 
ever give real confidence in the security of a system."  In fact, I can't 
defend this statement as I stated it, because I didn't say whose confidence 
I meant.  I meant the confidence of those outside the closed doors.  An open 
public process, even if it is sloppier (which is certainly an interesting 
claim worth talking about) is less corruptable.

Remember the behind-closed doors reviews of Clipper?  Besides questioning 
their quality, people also questioned their honesty.  Whether they actually 
were honest is besides the point -- it was a valid concern.  DES is another 
great case -- it now looks like the govt was telling the truth when they 
said the S-Boxes were engineered to resist attack, not to provide a trap 
door.  But as long as the rationale was hidden, we were right to avoid it 
like the plague.  If I had to choose, I'd take "open public" over "rigorous" 
any day.

We must apply our style of reasoning about security and trust not just *in* 
the process of examining these systems, but *to* the process of examining 
these systems.