[EROS-Arch] Re: [E-Lang] Re: Interaction Design for End-User Security
wojtek@ifirma.pl
wojtek@ifirma.pl
Thu, 22 Mar 2001 17:35:36 +0100
You are right. I get it. Let me think it over again.
This problem might be reduced to: verify what you boot.
But wait a minute, there is an option, unfortunately quite hard to
implement: boot from the token. It would require two things to be put on a
token: 1. bootstrap 2. kernel signature. Then the bootstrap would only load
the kernel from hard drive and verify its signature. Then the kernel would
be responsible for verifying signatures of software it loads. The trusted
set of certificates might reside on the token. Lets also grant that the
bootstrap and your OS vendor cert is always read-only.
Do you find this possible? Anything wrong in this scenario?
Wojtek
"Mark S. Miller"
<markm@caplet.com> To: wojtek@ifirma.pl
Sent by: cc: eros-arch@eros-os.org, Miriam Walker <mwalker@cs.berkeley.edu>
eros-arch-admin@mail.e Subject: Re: [EROS-Arch] Re: [E-Lang] Re: Interaction Design for
ros-os.org End-User Security
22-03-01 16:58
At 06:08 AM Thursday 3/22/01, wojtek@ifirma.pl wrote:
>There is no software-only solution to this problem. Two factor
>authorization is required i.e. an USB token and password. There are tokens
>currenty under development, where your private key never leaves the token.
>This takes security two steps ahead.
Without taking hardware steps so you know what privileged code you're
booting, I don't see how this solves the problem. Please try walking
through my scenario using your "solution".
Cheers,
--MarkM
_______________________________________________
eros-arch mailing list
eros-arch@mail.eros-os.org
http://www.eros-os.org/mailman/listinfo/eros-arch