[E-Lang] Other languages with secure capabilities

Marc Stiegler marcs@skyhunter.com
Thu, 10 May 2001 10:09:43 -0700

> Sorry I am not able to answer right now. But the implementation of Secure
> and the design for the first version is almost ready. The implementation
> interesting
> in fact. At the language level security overrides distribution behavior to
> guarantee language
> security. The language itself is secure. This means for example that an
> that have
> migratory behavior becomes stationary if an attemp to access the object
comes from
> untrusted site.

I know this was a quick response you made, and not as well crafted as I'd
guess you'll make make when you get back from your trip, but let me point
out a couple of things I look forward to hearing clarified.

The phrase "untrusted site", while it is a phrase that feels comfortable, is
almost always a false description. When using English, most of the populace
(including myself) tends to use the phrase "untrusted" quite often--but when
speaking in non-computerese situations, the real truth is always implied by
the context of the conversation. When I say "I don't trust Joe", what I
really mean is, "I don't trust Joe with my car keys" if borrowing the car
was the context. In fact, I might have lent Joe my newest Java book the day
before--if the context of the conversation had been borrowing a book, I
would have said, "of course I trust him."

In fact, human beings almost never totally trust or totally distrust anyone.
I would trust mark miller with my bank account or my life, but I would not
trust him to remain focused on his current development effort without an
occasional reminder to stay on target :-) People who still hold grudges
against me because of difficult decisions I made while in management a few
years ago, whom I would not trust in the same city, even them I still trust
with read-access to my Web site.

Human trust relationships are enormously complex and subtle. Not only is
"trust versus distrust" a false dichotomy, so is "trust-more versus
trust-less" (or, "on a scale from 0 to 10, how much do you trust him?").
Only when we build computer systems do we discard all the deeply-ingrained
knowledge of this stuff that seems prewired in our neurons, and go with
these kinds of crude approximations.

Having built a small number of capability secure distributed systems with E,
I am amused at how slowly I am evolving the ability to tease out the details
of the true trust relationships that must be expressed in particular
software systems--it is clear that I have all the correct machinery in my
brain to understand those relationships, but it all works on the
subconscious/instinctive level, and forcing it up to a cogent articulated
description, so I can implement it in software, is really hard work (at
least for me). In systems of even modest trust complexity, I am as of yet
unable to get it right the first time (I was made rudely aware of this while
working with markm on the 5-party salesman Smart Contract, before Steven
Jenson took over that effort) even though, in the physical world, I doubt
that I would have made any mistakes.

Yet our computer systems are going to have to reflect that human richness of
trust relationships if they are to succeed.

On a more detailed level, if a site is truly untrusted, it should never have
acquired the authority to talk to the object in the first place, much less
cause it to move to another machine. For the truly untrusted site to talk to
the object means a security breach has already occurred.