On Sun, 2006-04-30 at 03:52 +0200, Bas Wijnen wrote: > > What Marcus describes is a situation where (a) the parent establishes > > the authorized channels and (b) the parent can spy on the child's state. > > The second provision violates the requirement for intent. > > Huh? Why can't the child intend to transmit if it was started by the parent?
You have it backwards. The correct question is: Does the mere fact that the child was instantiated by the parent imply that the child consents to disclose state to the parent? > We are talking here about things like browser plugins. You were, but my comment is in the broader context of a debate about confinement. It is not limited to subordinate subsystems. These are a useful special case, but not instructive for purposes of the broader debate. > > So: what Marcus calls "trivial confinement" is not confinement at all. I > > do not agree with what he proposes, but the policy that he proposes is > > not morally wrong. I *do* object very strongly to calling it > > confinement, because it is not confinement. What Marcus actually > > proposes is hierarchical exposure. > > That too, but that's not the reason it's confinement. It's confinement > because the child process cannot communicate with anyone, except with explicit > permission of the parent (in the form of a capability transfer). It is also not confinement if the parent can read the child without the consent of the child. Therefore it is not confinement at all. > > Marcus proposes that any "parent" should have intrinsic access to the > > state of its "children". This property is necessarily recursive. It > > follows that the system administrator has universal access to all user > > state, and that "safe" backups are impossible. > > Nonsense. As you said yourself a few months ago, the administrator might not > have the right to touch everything. In the purely hierarchical model that Marcus proposes, this property is not achieved. That is the problem that I am objecting to. > > Further, it follows the cryptography is impractical, because there exists no > > location on the machine where a cryptographic key can be stored without > > exposure to the administrator. > > > > That is: in Marcus's proposal, there is no possibility of privacy. > > I believe I have disproven that statement. Sorry. You have not. > > > My position on the confined constructor design pattern, ie non-trivial > > > confinement, is NOT that "it supports DRM, therefore it should be > > > banned". My position on the confined constructor pattern is: "I have > > > looked at ALL use cases that people[*] suggest for it, and find all of > > > them either morally objectionable, or, in the context of the Hurd, > > > replacable by other mechanisms which don't require it." > > > > Excellent. Please propose an alternative mechanism -- ANY alternative > > mechanism -- in which it is possible for a user to store cryptography > > keys without fear of exposure. If we can solve this, then I am prepared > > to concede that we can store private data in general. > > In general, keep the chain of parents short and trusted. Since all processes are (ultimately) in some chain derived from processes that the administrator controls, no privacy against the administrator is possible. > > We are discussing a very important, foundational point. I believe that > > this debate should be public, that it should be uncompromising, and that > > it should evolve over time. Your ideas are incomplete. So are mine. Let > > us start a Wiki page for this discussion that will allow us to evolve > > it. Such decisions NEED the light of day. > > Personally, I prefer the mailing list for discussions. It would be a very > good idea if the resulting conclusions are archived in a better way than > "somewhere in the list archives". For that a wiki is useful. But I wouldn't > want to need to poll web pages in order to see if someone said something. Yes. But the result needs to be edited and maintained as well. > > If I have a right to choice, it is a right to *stupid* choice. > > Choice is not a right in all situations. I agree. However, choice is a right in all situations where no *overwhelming* third party harm can be shown to the satisfaction of the consensus of the society. > > You propose to solve *your* long-term social objectives by undermining the > > social process of consensus. > > What consensus? Yes. That is the point. In the absence of social consensus it is immoral to impose *any* dogma on society in the absence of demonstrated harm to third parties. > > If there is a better definition of evil, I do not know it. > > I do. Evil is when a person acts in a way that is against his or her own > moral values. No. This is the second type of evil. The first type is when a person acts in a way that imposes their values on others without sufficient evidence of universal merit. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
