One Laptop per Child security

Ivan Krstić krstic at
Thu Feb 8 15:23:40 EST 2007

Hi Nico,

Nicolas Williams wrote:
> If this means pop-up dialogs for every little thing an application wants
> to do then the result may well be further training users to click 'OK'.

It really does help to read at least the introduction to the document in
question before hitting 'reply' to an e-mail :)

Here are two of the four guiding principles for Bitfrost, stated in the
first chapter of the spec:

>  * No reading required 
>  Security cannot depend upon the user's ability to read a message from the
>  computer and act in an informed and sensible manner. While disabling a
>  particular security mechanism may require reading, a machine must be secure
>  out of the factory if given to a user who cannot yet read.
>  * Unobtrusive security 
>  Whenever possible, the security on the machines must be behind the scenes,
>  making its presence known only through subtle visual or audio cues, and never
>  getting in the user's way. Whenever in conflict with slight user convenience,
>  strong unobtrusive security is to take precedence, though utmost care must be
>  taken to ensure such allowances do not seriously or conspicuously reduce the
>  usability of the machines. As an example, if a program is found attempting to
>  violate a security setting, the user will not be prompted to permit the action;
>  the action will simply be denied. If the user wishes to grant permission for
>  such an action, she can do so through the graphical security center interface.

Summary and other principles:
(borrowed directly from the full spec).

> As for browsers, you'd have to make sure that every window/tab/frame is
> treated as a separate application, and even then that probably wouldn't
> be enough.  Remember, the browser is a sort of operating system itself
> -- applying policy to it is akin to applying policy to the open-ended
> set of applications that it runs.

The browser is an environment, which makes it an edge case. Even so,
Bitfrost provides guarantees on what happens if you take over the
browser: it's very hard to violate the user's privacy, you can't harm
the machine in any way, you can't get unauthorized access to the user's
documents. From a systems security point of view, that's all I could
hope for. Security within the browser cannot lie in the scope of the
spec. (Not to say that I don't care about it, though -- I'm meeting with
Mozilla's CSO later today to talk about what we can do to make the
browsing experience more secure.)


Ivan Krstić <krstic at> | GPG: 0x147C722D

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list