[EROS-Arch] Re: [E-Lang] Re: Interaction Design for End-User Security

Jonathan M. Smith jms@central.cis.upenn.edu
Thu, 22 Mar 2001 14:34:38 EST 

Yes. This was done (more or less) in the AEGIS system. See
http://www.cis.upenn.edu/~waa

								-JMS

> 
> You are right.  I get it. Let me think it over again.
> 
> This problem might be reduced to: verify what you boot.
> 
> But wait a minute, there is an option, unfortunately quite hard to
> implement: boot from the token. It would require two things to be put on a
> token: 1. bootstrap 2. kernel signature. Then the bootstrap would only load
> the kernel from hard drive and verify its signature.  Then the kernel would
> be responsible for verifying signatures of software it loads. The trusted
> set of certificates might reside on the token. Lets also grant that the
> bootstrap and your OS vendor cert is always read-only.
> 
> Do you find this possible? Anything wrong in this scenario?
> 
> Wojtek
> 
> 
> 
> 
>                                                                                                                             
>                     "Mark S. Miller"                                                                                        
>                     <markm@caplet.com>            To:     wojtek@ifirma.pl                                                  
>                     Sent by:                      cc:     eros-arch@eros-os.org, Miriam Walker <mwalker@cs.berkeley.edu>    
>                     eros-arch-admin@mail.e        Subject:     Re: [EROS-Arch] Re: [E-Lang] Re: Interaction Design for      
>                     ros-os.org                    End-User Security                                                         
>                                                                                                                             
>                                                                                                                             
>                     22-03-01 16:58                                                                                          
>                                                                                                                             
>                                                                                                                             
> 
> 
> 
> 
> At 06:08 AM Thursday 3/22/01, wojtek@ifirma.pl wrote:
> >There is no software-only solution to this problem. Two factor
> >authorization is required i.e. an USB token and password. There are tokens
> >currenty under development, where your private key never leaves the token.
> >This takes security two steps ahead.
> 
> Without taking hardware steps so you know what privileged code you're
> booting, I don't see how this solves the problem.  Please try walking
> through my scenario using your "solution".
> 
> 
>         Cheers,
>         --MarkM
> 
> _______________________________________________
> eros-arch mailing list
> eros-arch@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/eros-arch
> 
> 
> 
> 
> _______________________________________________
> eros-arch mailing list
> eros-arch@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/eros-arch