[EROS-Arch] Re: [E-Lang] Re: Interaction Design for End-User Security
Mark S. Miller
markm@caplet.com
Thu, 22 Mar 2001 05:33:19 -0800
At 07:59 PM Wednesday 3/21/01, Ka-Ping Yee wrote:
>On Wed, 21 Mar 2001, Mark S. Miller wrote:
>> There is *no way* to protect these users. [...]
>
>Technically, you are correct. But then why are you developing E?
>Why should anyone use EROS if the game is already lost?
>
>(I believe the answer to these questions is also my answer to your
>argument. I would like to see what your answer is, though.)
My "these users" above -- the ones that can't be protected -- are the ones
Robert Wittams originally referred to:
On 17 Mar 2001, Robert Wittams wrote:
> There is no way to protect the user if he allows "pranksters" to access
> a machine with his authority. [...]
I take his "access" to mean physical access. Physical access to stock
hardware gives the power to undetectably corrupt. E and EROS are for other
users: 1) Primarily those that have some measure of physical security, such
as a computer at home, where the home is assumed to be tamper-evident. But
also 2) those rare users that aren't using stock hardware, such as opaque
boxes http://www.agorics.com/agoricpapers/aos/aos.6.html#section6.1.2 .
Jonathan has done much more thinking about #2 than I. It's fair to say that
E is designed with only #1 in mind, although users in category #2 should
also be able to get mileage out of E. See the three hardware security
scenarios at http://www.erights.org/elib/capability/conspire.html#revokability
Cheers,
--MarkM