[E-Lang] Java 2 "Security" (was: Re: Welcome ChrisSkalkaand ScottSmith of Johns Hopkins)

Norman Hardy norm@agorics.com
Tue, 23 Jan 2001 09:30:21 -0800

>"Jonathan S. Shapiro" wrote:
>> Ben Laurie wrote:
>> > Fair enough. Nevertheless, this is something you can't defend against in
>> > a distributed capability system, which was my point. IIRC.
>> Yes you can. A distributed capability system can use an encrypted
>> transport to transmit capabilities between runtimes.

>Yes, I am aware of that. That defends against theft in transit, but not
>theft of the remote machine, or careless key security on the remote

>Hmmm. I'm not sure how valuable this point is, but since it is not being
>understood at all, I'll try again.

>If I have two pieces of code running on one machine, the OS can make
>guarantees about capabilities and their traceability to the two pieces
>of code. If they run on different machines, those guarantees cannot be
>made by the OS any longer: they also rely on things like a working
>secure transport, key security at both ends, and "capability security"
>at the remote end, _in addition to_ relying on the OS guarantees.

>In other words, on a single system I can ask the OS "does process X have
>capability Y?", and it can tell me (modulo me having authority to ask
>the question at all). On a distributed system, I cannot have that
>question answered (when process X is on a different machine) without
>making extra assumptions.

>This relates strongly to the whole discussion of "rely" in the technical
>sense MarkM has used it.

It is issues such as these for which the term "Trusted Computer Base", TCB was invented.
See <http://cap-lore.com/CapTheory/Dist/DistTrust.html> about this. I talk about how a sensitive application may choose to distribute some more ciritical functions less far than some less critical functions.