[E-Lang] defense in depth

hal@finney.org hal@finney.org
Thu, 25 Jan 2001 11:07:01 -0800


Would this be an example of defense in depth:

I receive signed, mobile code from a remote system.  I compare the
signature against a list of key holders I trust in order to decide to run
the code.  As a further assurance, I only give the code capabilities to
use those files which should be necessary for its operation.

More concretely, suppose the company I work for authorizes only certain
programs to be run on workers' machines, and it does so by issuing a
signature by a company-controlled key on those programs.  Only if I see
this signature will I allow the program to run on my machine.

Now, if the capability system fails, I'm probably still OK because the
mobile code is unlikely to be hostile since it was signed by someone
I trust.  Or if the signature system fails (perhaps the signature key
was stolen), the damage a malicious applet can inflict is limited because
it only has capabilities appropriate to its task.  We have two defenses
and both have to fail for catastrophe to occur.

Would this form of defense in depth be appropriate for use in conjunction
with a capability system?

Hal