[14318] in cryptography@c2.net mail archive
Re: Reliance on Microsoft called risk to U.S. security
daemon@ATHENA.MIT.EDU (Zooko)
Sun Sep 28 12:19:23 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: 27 Sep 2003 20:31:40 -0400
From: "Zooko" <zooko@zooko.com>
To: "Jeroen C. van Gelderen" <jeroen@vangelderen.org>
Cc: Victor.Duchovni@morganstanley.com,
"Bill Frantz" <frantz@pwpconsult.com>,
"Ian Grigg" <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: Message from Jeroen C.van Gelderen <jeroen@vangelderen.org>
of "Sat, 27 Sep 2003 13:51:52 EDT." <46C3ECBF-F113-11D7-B683-00039375644C@vangelderen.org>
"Jeroen C. van Gelderen" <jeroen@vangelderen.org> wrote:
>
> There is no way around asking the user because he is the ultimate
> authority when it comes to making trust decisions. (Side-stepping the
> issues in a (corporate) environment where the owner of the machine is
> entitled to restrict its users in any way he sees fit. The point is
> that the software agent cannot make trust decisions.)
... but you don't always have to *ask* the user, if instead you can infer from
actions that the user already performs.
I used to think that a capability desktop would be severely hobbled by the
requirement that the user state a plethora of privilege rules, until I saw
Marc Stiegler's CapDesk demo at the second O'Reilly Emerging Technologies
conference.
In that demo, a perfectly familiar desktop with "File -> Open" and
"File -> Save As" dialogs also serves as a Least-Privilege-enforcing access
control system which protects even a naive and lazy user from a malicious text
editor.
See also Ping Yee's research in secure Human Interface.
Regards,
Zooko O'Whielacronx
http://zooko.com/log.html
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
