[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Design principles and ethics (was Re: Execute without read (was [...
From: |
Jonathan S. Shapiro |
Subject: |
Re: Design principles and ethics (was Re: Execute without read (was [...])) |
Date: |
Sat, 29 Apr 2006 22:23:16 -0400 |
On Sun, 2006-04-30 at 03:52 +0200, Bas Wijnen wrote:
> > What Marcus describes is a situation where (a) the parent establishes
> > the authorized channels and (b) the parent can spy on the child's state.
> > The second provision violates the requirement for intent.
>
> Huh? Why can't the child intend to transmit if it was started by the parent?
You have it backwards. The correct question is:
Does the mere fact that the child was instantiated by the parent
imply that the child consents to disclose state to the parent?
> We are talking here about things like browser plugins.
You were, but my comment is in the broader context of a debate about
confinement. It is not limited to subordinate subsystems. These are a
useful special case, but not instructive for purposes of the broader
debate.
> > So: what Marcus calls "trivial confinement" is not confinement at all. I
> > do not agree with what he proposes, but the policy that he proposes is
> > not morally wrong. I *do* object very strongly to calling it
> > confinement, because it is not confinement. What Marcus actually
> > proposes is hierarchical exposure.
>
> That too, but that's not the reason it's confinement. It's confinement
> because the child process cannot communicate with anyone, except with explicit
> permission of the parent (in the form of a capability transfer).
It is also not confinement if the parent can read the child without the
consent of the child. Therefore it is not confinement at all.
> > Marcus proposes that any "parent" should have intrinsic access to the
> > state of its "children". This property is necessarily recursive. It
> > follows that the system administrator has universal access to all user
> > state, and that "safe" backups are impossible.
>
> Nonsense. As you said yourself a few months ago, the administrator might not
> have the right to touch everything.
In the purely hierarchical model that Marcus proposes, this property is
not achieved. That is the problem that I am objecting to.
> > Further, it follows the cryptography is impractical, because there exists no
> > location on the machine where a cryptographic key can be stored without
> > exposure to the administrator.
> >
> > That is: in Marcus's proposal, there is no possibility of privacy.
>
> I believe I have disproven that statement.
Sorry. You have not.
> > > My position on the confined constructor design pattern, ie non-trivial
> > > confinement, is NOT that "it supports DRM, therefore it should be
> > > banned". My position on the confined constructor pattern is: "I have
> > > looked at ALL use cases that people[*] suggest for it, and find all of
> > > them either morally objectionable, or, in the context of the Hurd,
> > > replacable by other mechanisms which don't require it."
> >
> > Excellent. Please propose an alternative mechanism -- ANY alternative
> > mechanism -- in which it is possible for a user to store cryptography
> > keys without fear of exposure. If we can solve this, then I am prepared
> > to concede that we can store private data in general.
>
> In general, keep the chain of parents short and trusted.
Since all processes are (ultimately) in some chain derived from
processes that the administrator controls, no privacy against the
administrator is possible.
> > We are discussing a very important, foundational point. I believe that
> > this debate should be public, that it should be uncompromising, and that
> > it should evolve over time. Your ideas are incomplete. So are mine. Let
> > us start a Wiki page for this discussion that will allow us to evolve
> > it. Such decisions NEED the light of day.
>
> Personally, I prefer the mailing list for discussions. It would be a very
> good idea if the resulting conclusions are archived in a better way than
> "somewhere in the list archives". For that a wiki is useful. But I wouldn't
> want to need to poll web pages in order to see if someone said something.
Yes. But the result needs to be edited and maintained as well.
> > If I have a right to choice, it is a right to *stupid* choice.
>
> Choice is not a right in all situations.
I agree. However, choice is a right in all situations where no
*overwhelming* third party harm can be shown to the satisfaction of the
consensus of the society.
> > You propose to solve *your* long-term social objectives by undermining the
> > social process of consensus.
>
> What consensus?
Yes. That is the point. In the absence of social consensus it is immoral
to impose *any* dogma on society in the absence of demonstrated harm to
third parties.
> > If there is a better definition of evil, I do not know it.
>
> I do. Evil is when a person acts in a way that is against his or her own
> moral values.
No. This is the second type of evil. The first type is when a person
acts in a way that imposes their values on others without sufficient
evidence of universal merit.
shap
- Re: The gun analogy (Was: Design Principles), (continued)
- Re: The gun analogy (Was: Design Principles), Marcus Brinkmann, 2006/04/30
- Re: The gun analogy (Was: Design Principles), Marcus Brinkmann, 2006/04/30
- Re: The gun analogy (Was: Design Principles), Jonathan S. Shapiro, 2006/04/30
- Re: The gun analogy (Was: Design Principles), Marcus Brinkmann, 2006/04/30
- Re: The gun analogy (Was: Design Principles), Jonathan S. Shapiro, 2006/04/30
- Re: The gun analogy (Was: Design Principles), Marcus Brinkmann, 2006/04/30
- Re: The gun analogy (Was: Design Principles), Jonathan S. Shapiro, 2006/04/30
- Re: The gun analogy (Was: Design Principles), Marcus Brinkmann, 2006/04/30
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Jonathan S. Shapiro, 2006/04/29
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Bas Wijnen, 2006/04/29
- Re: Design principles and ethics (was Re: Execute without read (was [...])),
Jonathan S. Shapiro <=
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Tom Bachmann, 2006/04/30
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Jonathan S. Shapiro, 2006/04/30
- Re: Design principles and ethics, Tom Bachmann, 2006/04/30
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Bas Wijnen, 2006/04/30
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Bas Wijnen, 2006/04/30
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Jonathan S. Shapiro, 2006/04/30
- Re: Design principles and ethics, Tom Bachmann, 2006/04/30
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Marcus Brinkmann, 2006/04/30
- Re: Design principles and ethics (was Re: Execute without read (was [...])), Bas Wijnen, 2006/04/30
- Re: Design principles and ethics, Tom Bachmann, 2006/04/30