Re: CGI scripts under EROS Ben Laurie (ben@algroup.co.uk)
Tue, 21 Apr 1998 20:40:03 +0100

Jonathan S. Shapiro wrote:
>
> > > Note that if the program is confined there is little danger in letting
> > > it talk to the internet -- the user can only expose their own
> > > information.
> >
> > I don't think it is quite as simple as that, but then I may, again, be
> > missing something. Consider this scenario (assuming I'm running
> > Apache-SSL). I'm a bank. I have account information for a client. That
> > client has authenticated himself use a certificate. I wish to present
> > confidential data that only he should see via the SSL connection. How
> > can EROS assure that this happens?
>
> The problem is that I was speaking imprecisely.
>
> Suppose you have a system that is initially confined. This means that
> it initially has access to none of your precious information, and also
> that it initially has no outward communication channels.
>
> You control where things go from here. You can hand it precious data
> or not. You can hand it an authenticated connection (presumably safe)
> afterwards and still be safe. You can hand it the authority to make
> arbitrary connections and lose your shirt. You can hand it the
> authority to make arbitrary connections by means of a trusted system
> intermediary agent that will check with you first and retain some
> control.
>
> Provided that you control the outbound communication paths correctly,
> there is no danger in handing a confined subsystem access to sensitive
> information. More precisely, there is no additional danger beyond the
> inherent exposure in performing the communications that were necessary
> to perform the requested transaction.
>
> In your example, the more interesting case is actually in controlling
> account access. You'ld like to know, for example, that the web page
> generator that displays account balances does not have the authority
> to do transfers between your accounts.

I'm beginning to suspect I should shut up until I'm better acquainted with how EROS does things.

I'm having problems understanding who "you" is and how "you" "hands" things about the place, what a "trusted system intermediary agent" is and how it "checks with you". And so on...

Cheers,

Ben. 

-- 
Ben Laurie            |Phone: +44 (181) 735 0686|  Apache Group member
Freelance Consultant  |Fax:   +44 (181) 735 0689|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |
A.L. Digital Ltd,     |Apache-SSL author    http://www.apache-ssl.org/
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache