[Cryptography] What do we mean by Secure?

Ben Laurie ben at links.org
Mon Feb 9 23:59:47 EST 2015 

On 9 February 2015 at 16:23, Phillip Hallam-Baker <phill at hallambaker.com>
wrote:

>
>
> On Sat, Feb 7, 2015 at 7:05 PM, Bill Frantz <frantz at pwpconsult.com> wrote:
>
>> On 2/6/15 at 3:10 PM, kentborg at borg.org (Kent Borg) wrote:
>>
>>  Ah, but then one would have to stop and figure out what one is trying to
>>> do...damn! Can't I just ask for Wholesome Apple Pie and be done?
>>>
>>
>> The more I hear people talk about making thing secure, the more I hope
>> they will explain what they mean by secure. What I mean, in the broadest
>> sense, is "Bad Things Won't Happen". Now this is a bit over nebulous. :-)
>>
>> In general, we think computers should enforce a policy. But what policy?
>> When I ask this question, the answer I generally get is, "Any policy you
>> want". But there are many policies we can't implement with our current
>> security mechanisms.
>>
>> On our home computers, my wife and my security policy is that both of us
>> should have full ownership permissions on all of our files since the owner
>> is the only one who can change certain meta-data, like who can access the
>> file.. However, on our Unix based systems, a file can have only one owner.
>> Our solution is to share accounts. As far as the computer is concerned,
>> there is only one of us.)
>>
>
> This is the wrong policy. You are never going to open those files, nor is
> your wife. You don't speak binary.
>
> Applications are going to open those files and what matters is that one
> application does not go rogue.
>
> We have the wrong metaphor for applications. They are not static objects,
> they are zombies or gollems . We can give them tasks, but their true
> masters are the wizards that originally brought them to life by their
> incantations.
>
>
> Of course, I don't know of any system that would make such a policy viable.
>

As Bill points out, this is exactly the point of capability systems (he
didn't say it, but it is what he meant). A long time ago we had a choice
between ACLs and capabilities, and we chose the wrong thing.

Capability systems do exist, but we also have a lot of ACL-based
engineering to fix in order to properly use them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150210/dd67bc18/attachment.html>

More information about the cryptography mailing list