[E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaandScottSmith of Johns Hopkins)

Ben Laurie ben@algroup.co.uk
Tue, 23 Jan 2001 16:42:51 +0000

"Jonathan S. Shapiro" wrote:
> Ben Laurie wrote:
> > Fair enough. Nevertheless, this is something you can't defend against in
> > a distributed capability system, which was my point. IIRC.
> Yes you can. A distributed capability system can use an encrypted
> transport to transmit capabilities between runtimes.

Yes, I am aware of that. That defends against theft in transit, but not
theft of the remote machine, or careless key security on the remote

Hmmm. I'm not sure how valuable this point is, but since it is not being
understood at all, I'll try again.

If I have two pieces of code running on one machine, the OS can make
guarantees about capabilities and their traceability to the two pieces
of code. If they run on different machines, those guarantees cannot be
made by the OS any longer: they also rely on things like a working
secure transport, key security at both ends, and "capability security"
at the remote end, _in addition to_ relying on the OS guarantees.

In other words, on a single system I can ask the OS "does process X have
capability Y?", and it can tell me (modulo me having authority to ask
the question at all). On a distributed system, I cannot have that
question answered (when process X is on a different machine) without
making extra assumptions.

This relates strongly to the whole discussion of "rely" in the technical
sense MarkM has used it.

Now, I realise you can argue that the entire distributed system should
be appropriately engineered to make those extra assumption non-onerous.
There are, undoubtedly, many cases where this can be done. What is
unclear to me is whether it can always be done, realistically. This is
why I am unsure of the value of the point.

Is that any clearer?




"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff